CertEnroll::Cx509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b
27 Sep 2013 16:10

Error message when IIS 7.0 is attempting to process a pending certificate request.

CertEnroll::Cx509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b

I could not complete the certificate request via IIS manager.

This error seems to mean that the private key (created when the certificate request was made) does not match the public key (the .crt file). The keypair is not successfully joined into a working SSL certificate. If you double click the certificate you will see that the private key is missing. Without a private key the certificate is worthless as even if you configure it on your website in IIS you will end up getting Page Cannot Be Displayed.

Løsning #1

Begin by importing the .crt file into the Personal certificate store for the local computer. (Start button > Run: MMC > File Menu > Add/Remove Snap-in > highlight Certificates snap-in and click the ADD button > select Computer Account and click Finish > Click OK > drill into Personal > Certificates > right-click and select All Tasks > select Import > guide to the .crt file.) At this point your certificate is basically a half-certificate. It is still missing its private key.

Second, double-click the crt certificate file you just imported, select the Details tab, scroll all the way down to Thumbprint and highlight Thumbprint. In the lower pane, block and copy all the letters of the thumbprint. Paste the thumbprint characters into notepad. Open the command prompt and run this command:

Certutil /?

The command you’ll want to run is:
certutil -repairstore my "{insert all of the thumbprint characters here}"
e.g certutil -repairstore my "1234567890abcdef1234567890abcdef12345678"

When you see the response: “CertUtil: -repairstore command completed successfully” you should have a private key associated with the .crt file in the personal store. There should no longer be any need to run through the “Complete Certificate Request…” wizard. The certificate should show up in the IIS Manager’s list of server certificates at this point. It should also be available in the SSL Certificates drop-down list when attempting to edit the https binding for a website.Now if the request for the certificate was issued from the same machine you can use the command below to restore the private key for your certificate.

Now the certificate is installed in your Local Computer certificate store so you go into your website properties and assign the certificate by changing the bindings settings.

Løsning #2

Reutsted sertifikatet med en ny CSR-fil.

© 2021 Commfides Norge AS
Postboks 405, 1327 Lysaker
Fornebuveien 1, 1366 Lysaker
Telefon +47 21 55 62 60