Lantranet [dot] com

bloggin' like a Professional

  • Navigator

    open all | close all
  • Kategorien

  • Neueste Beiträge

HowToFix: Complete Certification Request with a broken Private Key Link at IIS7

Erstellt von Administrator am 15. August 2012

If you do a certificate request /renew at IIS7, following error pops up:

Complete Certification Request
There was an error while performing this operation

CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN:276)


Microsoft KB Article Statement to the known issue:
Note: There is a known issue in IIS 7 giving the following error: „Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created.“ You may also receive a message stating „ASN1 bad tag value met“. If this is the same server that you generated the CSR on then, in most cases, the certificate is actually installed. Simply cancel the dialog and press „F5“ to refresh the list of server certificates. If the new certificate is now in the list, you can continue with the next step. If it is not in the list, you will need to reissue your certificate using a new CSR.

After creating a new CSR, login to your account where you have ordered your Certificate and click the re-key button for your certificate. => haha


==> at this point, you have no chance to export the private key of the certificate, cause the option is greyed-out in the mmc console, and otherwise you also have no chance via IIS Console 🙂

==> without certificate’s private key, it is also not possible to renew the e.g. wildcard certificate at TMG/ISA


Nun, wenn nur noch wenig Zeit übrig bleibt, weil das alte Zertifikat in Kürze bereits am Ablaufen ist, dann will man die eventuell auftretende Wartezeit nicht riskieren…selbst ist der Mann/ die Frau….und wir fixen die „broken private Key Zuordnung zwischen dem RSA Cryptographic Provider Container und dem damals erstellten CSR Request“:


If there is not so much time left for requesting a new certificate, and the old certificate is valid only few days, we won’t risk this time period.
The problem is the „broken private key assignment between the RSA Crytographic Provider Container and the formerly created CSR Request.
We fix this problem self:

1.) we open the imported certificate from the certification mmc => local computer \ private  Certification Store and copy the Serialnumber (e.g.: 00ff1d744647ad0709f4c13fd9c999ffc2)
2.) we open a CMD with administrative privileges and do a: Certutil –repairstore my 00ff1d744647ad0709f4c13fd9c999ffc2
3.) he will list up some detail infos from the certificate….and if the formerly command was successfully, he will brong back something like:

Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -repairstore command completed successfully

4.) we switch back to the cert-mmc and é voila, the key symbol appears at the certificate
( the private key assignement is repaired successfully, and we have our cert with the right assigned private key back
5.) Now you can export the certificate in a normal order and complete the open CSR request.

If you hang up at step 3.) then you’re knocked out, and theres’s no possible other step than re-key your certificate or simply do  a new CSR Request.

Tags: , , , ,
Abgelegt unter Server 2008, Troubleshooting | Kommentare deaktiviert für HowToFix: Complete Certification Request with a broken Private Key Link at IIS7