Error: ASN1 bad tag value met. 0x8009310b(ASN: 267) when installing a VeriSign SSL certificate using IIS 7 server RRS feed

  • Question

  • User-1286092494 posted

    Hello... Is anyone seen this error when attempting to install a VeriSign chain certificate using IIS 7 server?

     CertEnroll:CX509Enrolment:p_InstallResponse: ASN1 bad tag value met. 0x8009310b(ASN: 267)

     I have search the internet to no avail... Any help is greatly appreciated.

     Thank you




    Friday, July 11, 2008 3:25 PM


All replies

  • User113421904 posted


    I did see one post before that this error is related to permissions of certificate store. Are you running from administrative accounts, make sure you have enough permissions during the installing of certificates.

    Tuesday, July 15, 2008 12:07 PM
  • User-1286092494 posted

    Thanks Zhao. I was wondering if you guys have any kind of knowledge base article that talks about this error within IIS 7 during an SSL certificate install?  It would be great if there is one.

     We would like to put this information in our knowledge base to better assist our customers at VeriSign.

     Thank you for your support.


    Jason R.


    Tuesday, July 15, 2008 4:04 PM
  • User113421904 posted

    Hi Jason,

    I did see one http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1348224&SiteID=1, perhaps it helps. 

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Wednesday, July 16, 2008 8:03 AM
  • User1810624584 posted

    I leave this behind for anyone else searching for an answer to this question.  NOTE: I am not using a VeriSign certificate, so this is not directly pertinent to the original question.  I leave it behind because the error message is the same and hits on the search engines.

    I leave the message with double colons here so that search will pick it up more readily.

    CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x08009310b (ASN: 267)

    I requested a certificate from an IIS 7.0 Web Server.  I used the request to create a certificate within our internal CA and generate a .cer file.  When I went to install the .cer file in the web server, I got hit with this error message.  It didn't take too much digging to find a hint that perhaps the CA was not trusted by the Web Server.  I added the internal CA chain to the Web Server and this got me past the message.  Just to be sure, I removed the root certificate from the Trusted Root Certification Authorities folder and tried again - I got the error again.  This is a verified cause.  Certainly this may not be the only cause.  I sure wish the error message were better.

    Thursday, October 9, 2008 2:02 PM
  • User351018772 posted

     I've had the same issue, below is my information...

    • Windows 2008 Web Server 64-bit Edition
    • IIS7
    • SQL 2005 Express
    • Network Solutions Basic SSL certificate

    Each time I try to complete the certificate request I get the following error...

    CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN: 267)

    I should also mention that I have already added the 3 other certificates provided by NetworkSolutions under the Certificates snap-in. When I open up IIS I do not see my certificate request listed however IIS knows that it's there so I'm not sure if I should see it listed or not. Under "Certificates -> Certificate Enrollment Requests -> Certificates" I can see the pending request. Up until a few minutes ago I had several listed there and have since cleared/deleted them out and re-requested the certificate from NetworkSolutions although I don't have any faith this will work. There were several from past failed attempts. Should I be able to see the certificate request in IIS7 after creating the initial request before it's completed? My server doesn't do much other than host a few websites and run SQL 2005 Express. I know some have said something about SQL but I can't imagine what that has to do with my situation since I simply want to add an SSL certificate to IIS7 to run a single website with SSL encryption.

    Is it just me or should this not be ridiculously simple to accomplish and yet it's been the single most frustrating thing I had to do in a great long while. NetworkSolutions doesn't have any answers, Microsoft wants to charge me an arm and leg just to say "Hi", and I'm losing my patience with the whole thing since it should literally take less than 5 minutes to complete a simple certificate request.

    Does anyone out there have a solution to this problem because I'm Googled out...

    Thanks in advance for any support provided,


    Thursday, October 23, 2008 2:44 PM
  • User882081861 posted

    I'd recommend contacting the certification authority and asking them what their preferred way is to abandon the problematic keypair and how to best make a totally new CSR.

    Thursday, December 18, 2008 2:00 PM
  • User882081861 posted

    Here are two relevant links with different approaches:

    https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=S:SO8467&actp=search&searchid=1219125132143<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p><o:p></o:p><o:p> </o:p><o:p> </o:p><o:p>and</o:p><o:p></o:p><o:p> </o:p>http://blogs.msdn.com/vijaysk/archive/2008/11/25/certenroll-cx509enrollment-p-installresponse-asn1-bad-tag-value-met-0x8009310b.aspx<o:p></o:p>


    Wednesday, December 31, 2008 7:18 PM
  • User56899015 posted
    This happened to me because I screwed up.

    Heres what I did:

    I created a certificate request and sent it to the CA. I got the new cert and installed it.

    Here's where I went wrong:

    I mis-typed the friendly name during the cert install and stupidly deleted the cert via IIS manager.

    How I fixed it:

    Take the initial certificate request file (sent to CA) and rename it with a .cer extension.
    Open the certificate management snap in.
    Right click on "Certificate Enrollment Requests" and import the certificate signing request file.
    Go back to IIS Manager and import the certificate that the CA sent back in response to your initial request.

    Basically, you must have an unfulfilled certificate request corresponding to the certificate provided by your CA before "complete certificate request" is successful.

    Tuesday, December 20, 2011 6:27 PM
  • User1063753466 posted
    greg88 - I just created this forum account to tell you that you are a genius. Your solution totally worked for me.
    Tuesday, January 10, 2012 8:36 PM
  • User1180450644 posted
    Gregg88 - Saved my butt too - thanks!
    Monday, July 23, 2012 1:02 AM
  • User418653656 posted

    I got the same error, through a mistake on my part, but the solution did not work for me.


    I was using a GoDaddy cert, which had an intermediate certificate.  I followed the instructions to import the GoDaddy intermediate cert into the "Certificates (Local Computer)/Intermediate Certification Authority/Certificates store.

    Turns out, I apparently double clicked on the actual web site cert, which happily went in the store.

    I think went to IIS which gave me the OP's error.

    Drove me nuts, until I found the web cert in the Intermediate Certification Authority.  lol.

    So, the fix for me was to export and delete the web site cert, import the proper intermediate cert, and then import the cert like normal into the "Certificates (Local Computer)/Personal/Certificates store.

    Now, oddly, IIS still thinks there is a cert request outstanding.  I'm assuming I can just ignore this, as I already have the cert loaded.

    == John ==

    Monday, May 20, 2013 2:11 PM
  • User-1938893238 posted

    "I mis-typed the friendly name during the cert install"

    What does that mean? What defines a mis-typing of the friendly name?... 

    I need to know to understand if I did the same "mistake".


    Monday, May 27, 2013 11:32 AM
  • User1903832623 posted

    @greg88: Dude, u are super genious!

    Just a note:

    Take the initial certificate request file (sent to CA) and rename it with a .cer extension.

    i couldn't import the Certificate Request File renamed as .cer, because the certificate snap-in was nagging about invalid operation. So i just tried to import in the Certificate Enrollment Requests the certificate itself... and BANG! it worked like a charm! 

    You made my day ;)

    Wednesday, December 4, 2013 12:16 PM