Ask a Question

Advanced Search

Solution ID : SO15889

Last Modified : 05/02/2018

Error: ASNI1 bad tag value met. 0X80009310b (ASN:267) during SSL installation in Microsoft IIS 7.0


Error occurs while trying to install a certificate via Internet Information Services 7 :
CertEnroll::CX509ENrollment::p_InstallResponse:: ASNI1 bad tag value met. 0X80009310b (ASN:267)


This error occurs because the certificate that you are trying to install, cannot be joined with its corresponding private key.
The error can also occur because the private key has been compromised or deleted from the server.


To resolve this error, perform the following steps:
Despite the error, be sure to check the certificate using the MMC as it may have installed correctly. 
  1. Create a MMC Snap-in
  2. Go to the personal certificates folder, and if you locate your certificate there, double-click it and verify that it has the following message: 

    "You have a private key that corresponds to this certificate"

    If you do, you can simply setup the bindings to your site to complete the installation.  If the private key message is not displaying on the certificate, please continue with this document to install the certificate.
Scenario A: The error is received, however the certificate is installed:
If the certificate is displaying the private key message when viewed in the MMC, the bindings must be configured so that the new certificate is installed to the site. This can be completed with following thse steps:
  1. Click Start > Administrative Tools > Internet Information Services (IIS) Manager
  2. Browse to your [Server name] > Sites > [Site name]
  3. From the Actions pane, choose Bindings
  4. In the Site Bindings window, choose Add
  5. From the Add Site Bindings window, provide the binding type (https)
  6. Select the SSL certificate that will be used for this site
  7. Click OK
Scenario B: The error is received, the certificate installs to the "Other People" folder.
Sometimes when this error is received, the certificate gets installed into the Other People folder on the server, under the Current User account.
  1. To restore the certificate to the Local Computer store  (where it should be in order to assign it to your site), you can expand the Local Computer & Local User nodes. Drag the certificate from Other People store and drop it under the Local Computer > Personal > Certificates

  2. Now if the request for the certificate was issued from the same machine you can use the command below to restore the private key for your certificate.  Double-click the certificate in the Personal folder and from the Details tab select Thumbprint.  Copy the full Thumbprint for use in the command below.

    Add the Thumbprint value to the command below and execure it in a Command Prompt with Administrator rights.

    certutil –repairstore my “[thumbprint]”

    This should restore the private key for that certificate. You should see a “You have a private key that corresponds to this certificate” message when you double click on the certificate now after closing and re-opening the snap-in in the MMC console (Local Computer).
  3. Now the certificate is installed in your Local Computer certificate store so you go into your website properties and assign the certificate by changing the bindings as illustrated in Scenario A.
If the certutil command fails the certificate can not be installed.  Please use the steps below to generate a new CSR and Reaplce the certificate.  The new version of the certificate should install as normal.
  1. Create a new CSR
  2. Replace the certificate
  3. Install the new version of the certificate