Error: ASNI1 bad tag value met. 0X80009310b (ASN:267) during SSL installation in Microsoft IIS 7.0

Solution ID:    SO15889
Version:    2.0
Published:    06/19/2008
Updated:    09/09/2010

Problem

Error occurs while trying to install a certificate via Internet Information Services 7 :
 
CertEnroll::CX509ENrollment::p_InstallResponse:: ASNI1 bad tag value met. 0X80009310b (ASN:267)

Cause

This error occurs because the certificate that you are trying to install, cannot be joined with its corresponding private key.
The error can also occur because the private key has been compromised or deleted from the server.
 

Solution

To resolve this error, perform the following steps:
 
Note: It is important that you first check that the certificate did not install fine despite the error.
 
To do this, create a MMC Snap-in as per the instructions on the following solution: SO14292
Go to the personal certificates folder, and if you locate your certificate there, double-click it and verify that it has the following message:  "You have a private key that corresponds to this certificate"
 
If you do, you can simply setup the bindings to your site, as per the steps on the following solution: SO10517
 
Most times when this error is received, the private key is still present on the server, but cannot be joined with the certificate. In this instance, perform the following steps to get the issue resolved:
 
Scenario A:
The error is received, but the certificate still gets installed successfully:
 
When this happens, all that needs to be done, is for the bindings to be configured so that the new certificate is installed to the site. This can be done by following thse steps:
 
1.  Click Start > Administrative Tools > Internet Information Services (IIS) Manager
2.  Browse to your server name > Sites > Your SSL-based site
3.  From the Actions pane, choose Bindings
4.  In the Site Bindings window, choose Add
5.  From the Add Site Bindings window, provide the binding type (https)
6.  Select the SSL certificate that will be used for this site
7.  Click OK
 
 
Scenario B:
The error is received, the certificate installs to the "Other People" folder.
 
Sometimes when this error is received, the certificate gets installed into the Other People folder on the server, under the Current User account.
This can be accessed via the MMC. Review the picture below:
 
 
 
To restore the certificate to the Local Computer store  (where it should be in order to assign it to your site), you can load the two Certificates MMC (Local Computer & Local User). Drag it out of the Other People store and drop it under the Local Computer > Personal > Certificates
 
However, if you double click the certificate you will see that the private key is missing. Without a private key the certificate will not work even if you configure it on your website in IIS you will end up getting Page Cannot Be Displayed. 
 
Now if the request for the certificate was issued from the same machine you can use the command below to restore the private key for your certificate:
 
certutil –repairstore my “insert your thumbprint here”
 
The picture below will illustrate where you can acquire the Thumbprint:
 
 
 
This should restore the private key for that certificate. You should see a “You have a private key that corresponds to this certificate” message when you double click on the certificate now after closing and re-opening the snapin in the MMC console (Local Computer).
 
Now the certificate is installed in your Local Computer certificate store so you go into your website properties and assign the certificate by changing the bindings as illustrated in Scenario A.
 
 
If the steps above do not work, it means that the private key is corrupt or has been deleted, and your certificate needs to be reissued. To reissue the certificate follow the instructions below:
 
1. To create a new CSR see solution SO10516
 
2. To revoke and replace (reissue) the certificate see solution SO5757
 
3. To install the certificate see solution SO10517

 

Disclaimer:

RapidSSL has made efforts to ensure the accuracy and completeness of the information in this document. However, RapidSSL makes no warranties of any kind (whether express, implied or statutory) with respect to the information contained herein. RapidSSL assumes no liability to any party for any loss or damage (whether direct or indirect) caused by any errors, omissions, or statements of any kind contained in this document.  Further, RapidSSL assumes no liability arising from the application or use of the product or service described herein and specifically disclaims any representation that the products or services described herein do not infringe upon any existing or future intellectual property rights. Nothing herein grants the reader any license to make, use, or sell equipment or products constructed in accordance with this document. Finally, all rights and privileges related to any intellectual property right described herein are vested in the patent, trademark, or service mark owner, and no other person may exercise such rights without express permission, authority, or license secured from the patent, trademark, or service mark owner. RapidSSL reserves the right to make changes to any information herein without further notice.

Contact Support

US Support:

Order Processing

Technical Support

European Support:

Order Processing

Technical Support

SSL digital certificates sales live chat.

Knowledge Center


Search Tips