Error: ASNI1 bad tag value met. 0X80009310b (ASN:267) during SSL installation in Microsoft IIS 7.0
Error occurs while trying to install a certificate via Internet Information Services 7 :
CertEnroll::CX509ENrollment::p_InstallResponse:: ASNI1 bad tag value met. 0X80009310b (ASN:267)
This error occurs because the certificate that you are trying to install, cannot be joined with its corresponding private key.
The error can also occur because the private key has been compromised or deleted from the server.
To resolve this error, perform the following steps:
Despite the error, be sure to check the certificate using the MMC as it may have installed correctly.
- Create a MMC Snap-in
- Go to the personal certificates folder, and if you locate your certificate there, double-click it and verify that it has the following message:
"You have a private key that corresponds to this certificate"
If you do, you can simply setup the bindings to your site to complete the installation. If the private key message is not displaying on the certificate, please continue with this document to install the certificate.
Scenario A: The error is received, however the certificate is installed:
If the certificate is displaying the private key message when viewed in the MMC, the bindings must be configured so that the new certificate is installed to the site. This can be completed with following thse steps:
- Click Start > Administrative Tools > Internet Information Services (IIS) Manager
- Browse to your [Server name] > Sites > [Site name]
- From the Actions pane, choose Bindings
- In the Site Bindings window, choose Add
- From the Add Site Bindings window, provide the binding type (https)
- Select the SSL certificate that will be used for this site
- Click OK
Scenario B: The error is received, the certificate installs to the "Other People" folder.
Sometimes when this error is received, the certificate gets installed into the Other People folder on the server, under the Current User account.
- To restore the certificate to the Local Computer store (where it should be in order to assign it to your site), you can expand the Local Computer & Local User nodes. Drag the certificate from Other People store and drop it under the Local Computer > Personal > Certificates
- Now if the request for the certificate was issued from the same machine you can use the command below to restore the private key for your certificate. Double-click the certificate in the Personal folder and from the Details tab select Thumbprint. Copy the full Thumbprint for use in the command below.
Add the Thumbprint value to the command below and execure it in a Command Prompt with Administrator rights.
certutil –repairstore my “[thumbprint]”
This should restore the private key for that certificate. You should see a “You have a private key that corresponds to this certificate” message when you double click on the certificate now after closing and re-opening the snap-in in the MMC console (Local Computer).
- Now the certificate is installed in your Local Computer certificate store so you go into your website properties and assign the certificate by changing the bindings as illustrated in Scenario A.
If the certutil command fails the certificate can not be installed. Please use the steps below to generate a new CSR and Reaplce the certificate. The new version of the certificate should install as normal.
RapidSSL has made efforts to ensure the accuracy and completeness of the information in this document. However, RapidSSL makes no warranties of any kind (whether express, implied or statutory) with respect to the information contained herein. RapidSSL assumes no liability to any party for any loss or damage (whether direct or indirect) caused by any errors, omissions, or statements of any kind contained in this document. Further, RapidSSL assumes no liability arising from the application or use of the product or service described herein and specifically disclaims any representation that the products or services described herein do not infringe upon any existing or future intellectual property rights. Nothing herein grants the reader any license to make, use, or sell equipment or products constructed in accordance with this document. Finally, all rights and privileges related to any intellectual property right described herein are vested in the patent, trademark, or service mark owner, and no other person may exercise such rights without express permission, authority, or license secured from the patent, trademark, or service mark owner. RapidSSL reserves the right to make changes to any information herein without further notice.