Certificate Errors

Error: ASN1 bad tag value met

One error message seen will say;

Complete Certificate Request
There was an error while performing this operation.
Details: CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN: 267)

Additional error messages might also say;

Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created. "ASN1 bad tag value met"

Depending on your situation one of these methods can work.  Method 1 should always work because re-keying is a restart of the whole get a SSL certificate process.

Method 1 Re-key the certificate from the SSL certificate provider

Not all SSL certificate providers allow you to re-key certificates and others will charge you a fee.  This is the most effective way to fix the error. If you can not re-key a certificate it can also be replaced.

  1. Generate a new CSR via the IIS MMC
  2. Re-key your certificate via your providers certificate download page.
  3. Download the new certificate and the intermediate 3rd party certificate if they give you one
  4. Install the provider’s certificate first then your own certificate

Check to see its installed

  1. Open a blank MMC window
    1. Windows+R and type MMC in the run dialog box
  2. Click File
  3. Click add/remove snap-in
  4. Add the Certificate snap-in for the first time
    1. Select “Computer account”, click next
    2. Select ‘Local Computer”, click Finish
  5. Add the Certificate snap-in a second time
    1. Select “My User Account”, click finish
  6. Click ok/finish until your back to the MMC
  7. Find your re-keyed certificate in the Personal folder of the local computer account

If you find the certificate in your Current User Certificate store you will need to export it from their with the private key and then import it through the Local Computer Certificate store. If that fails move to Method 2

Method 2 Move to the correct certificate storage

If the import was placed in the local user certificate storage or another users storage you can use this method to move it.

This Doesn’t Always Work.  If it fails you will need to re-key or replace the certificate.

  1. Open a blank MMC window
  2. Add certificate add-on for both local user account and the local computer account
  3. Find the “Other People” store in Local User and find your certificate
  4. Move it to the Local Computer’s Personal Certificate folder
  5. Open it up and the main tab will not have the “You have a private key that corresponds to this certificate”
  6. Switch to the details tab and copy the thumbprint property
  7. Open a Command Window with Admin Rights
  8. Type in certutil –repairstore my “00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f” but replace the “00…” with the thumbprint ID of your certificate.
  9. close and reopen the properties
  10. The certificate should now say “You have a private key that corresponds to this certificate”

If it still complains about the private key you will need to re-order or re-key your certificate.

If you have a backup copy of the unsigned private key you can manually import the backup and try method 3.

Method 3 Manually match the public and private keys

If the import fails to match the private key after the public key was signed then you can import the signed public half cert into the Local Computer Personal Store.

This Doesn’t Always Work.  If it fails you will need to re-key or replace the certificate.

  1. Open an elevated (admin-level) command prompt
  2. Open a blank MMC window
    1. Press Windows+R and type MMC in the Run dialog box
  3. Add the Certificate snap-in for the Local Computer account
  4. Open the personal store folder and select import
  5. Select the CRT file sent by the SSL provider.
    1. If the provider sent a different file, like the CER file, this will not work most of the time. Some providers mix up the file extensions.
  6. Open up the properties on the newly imported signed cert. The main tab will not have the “You have a private key that corresponds to this certificate”
  7. Switch to the details tab and copy the thumbprint property
  8. In the Command Window with Admin Rights
    1. Type in certutil –repairstore my “00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f” but replace the “00…” with you thumbprint ID
  9. Close and reopen the properties
  10. The certificate should now say “You have a private key that corresponds to this certificate”

If it still complains about the private key you will need to re-order or re-key your certificate and use Method 1

Did you get a clue?

If you got a clue and want to thank me, then visit the thank me page. It’s the best way to keep me publishing articles and keeping this site operation.

This site uses affiliate links. When you go to another site from here the link typically will have an affiliate code attached to it. Your actions on that site may earn a small commission for me. Read our affiliate link policy for more details.

{fin}

All Site Tags

Access Denied ADFS Apache Authentication Cable Systems Claims Based Authentication Coding Command Line Content Management Systems dcdiag DHCP DNN Encryption Error Examples Hacking HTML Hyper-V IIS Installation Linux Logs-n-Logging LSA Main Page More Research Odds-n-Ends Patching Performance PHP PowerShell Protocols reference Registry Security Servers SharePoint SSL Testing Time Tips and Tricks TLS Tools Troubleshooting Windows WordPress

Scroll to Top