CertEnroll::Cx509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b

Recently while installing a SSL certificate on IIS 7.0 I got this error message

CertEnroll::Cx509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b

I could not complete the certificate request via IIS manager.

But strangely after this error the certificate was placed in the Other People certificate store.

Only certificates that are stored in the Local Computer store can be used in IIS.



To restore the certificate to the Local Computer store you can load the two Certificates MMC (Local Computer & Local User). Drag it out of the Other People store and drop it under the Local Computer > Personal > Certificates.

But if you double click the certificate you will see that the private key is missing. Without a private key the certificate is worthless as even if you configure it on your website in IIS you will end up getting Page Cannot Be Displayed.

Now if the request for the certificate was issued from the same machine you can use the command below to restore the private key for your certificate.

certutil –repairstore my “00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f”

The sequence in the quotes is the thumbprint of the SSL certificate.


This should restore the private key for that certificate. You should see a “You have a private key that corresponds to this certificate” message when you open it .

Now the certificate is installed in your Local Computer certificate store so you go into your website properties and assign the certificate by changing the bindings settings.

Bookmark and Share

Comments (26)

  1. Joseph King says:

    This was amazingly helpful. I had this exact issue, and nowhere was there help to be found – not Verisign, not Microsoft.

    This post had me up and running in about 30 seconds.

  2. Sean Smith says:

    Man, you totally saved my bacon. I was going back and forth with the hosting company, the cert issuer, web searches. All bore no fruit, until I found this post. Very very well done sir!

  3. DarK says:

    WOW!  Great article.  Like the other posters I had the SSL problem and was up and running following this exactly.  Thanks A LOT man!! =]

  4. Kulbinder says:

    Following your post fixed the problem in 2 minutes after I wasted 2 hours with certificate and the issuer.

    Thank You, Thank You, Thank You!!!

  5. Eric E says:

    I hope I can repay the favor some day, because you just saved my butt!  Seriously, I’ve been at this for two days and couldn’t find anything out there to help me.  You’re awesome!  THANK YOU!!!

  6. We’ve seen a few instances of the following error message on 64 bit servers when IIS 7.0 is attempting

  7. Christiaan Westerbeek says:

    Also with me this helped. If you have the same error? Try this solution out.

  8. Scott says:

    I have no "other people" folder.  Suggestions?

  9. Volker Dose says:

    Great! I was nearly desperate, because I had never had problems with ssl-certificates on different Linux- and IIS6-Webservers.

    Thank you very much for this article!

    Kind regards,


  10. Dave says:

    This is a very odd error you discovered. Your work-around likely saved me hours. There is a special place in the after-life for people like you.

  11. I have no "other people" folder. What do I do?




  12. shamaila says:

    how do i get to the screen shown?

  13. Paul F says:

    Good job Buddy really saved my neck.

    Works like a charm !!!


  14. Tyler says:

    You saved me on this.  GoDaddy was no help at all.  Thanks.  

  15. Shareel says:

    Thanks Vijay ,

    Very userful information for fixing certificate for unpaired priovate key.

  16. Arno says:


    To load the two Certificates MMC (Local Computer & Local User), this is helpful:


    just drag and drop the certificate to Local Computer > Personal > Certificates. Run the repair with your own thumbprint, and ready in 30 seconds!!

  17. Beball says:

    Great article, very helpful. Thanks.

  18. Tom says:

    It would have been a great time saver if OP would have posted how to get to the console screen or that the snap in is not installed by default!@!!@!@  Thank so much to Arno for posting the link on how to do this and install the snap in.  

  19. Theunis says:

    This worked great. I instead skipped the step of trying through IIS, since it always fails on me, so I just import the SSL into the local computer personal certificates folder, and run the script to repair based on the thumb print.

    One less step, just as effective.

    Thanks again,


  20. NK says:

    Thanks NK,

    very useful tip, you are a lifesaver.

  21. bnlf says:

    3 years and still a working solution 🙂


  22. Ryan Lowdermilk says:

    THIS. SAVED. MY. BIG. TIME!!! Thanks! 🙂

  23. Sandeep says:

    Saved my hide !

    Great job – thanks a ton !

  24. RIck says:

    I get a "Insert smart card"? What now?

Skip to main content