The server displays an error when installing the certificate

What error message is shown?

While installing the certificate on IIS 7 the following error could appear:

CertEnroll::Cx509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b

The cause is that the certificate has been installed in the incorrect Certificate Store. It could happen that IIS automatically places the certificate in the Other People Certificate folder of the Current User account. Only certificates placed in the Local Computer store can be used by IIS. You can solve this by moving the certificate to this location.

The following notification could aapear in the logs:

'A fatal error occurred when attempting to access the SSL server credential private key.The error code returned from the cryptographic module is 0x80090016.'

This can be solved by setting the correct privileges to the key file. X509_check_private_key:key values mismatch

This notification relates to the new certificate not matching with the used private key. Probably the new key was not mentioned in the configuration. There are several solutions.

Exchange 2007 shows the error message "PrivateKeyMissing" when executing "Enable-ExchangeCertificate"

Exchange 2007 shows the error message: Enable-ExchangeCertificate : The certificate with thumbprint XXXXXXXXX was found but is not valid for use with Exchange Server (reason: PrivateKeyMissing). At line:1 char:27 + Enable-ExchangeCertificate <<<< -Thumbprint XXXXXXXXX -Services "IIS"

This error may occur when the Certificate Store got corrupted; it is common on Exchange 2007 this error will occur without any reason. The problem can be circumvented by recovering the Certificate Store. After recovery this error should no longer occur.

IIS / Exchange 2003 shows the error message: "The Private Key can not be found" or "Pending request not found"

This error can be solved by re-pairing the Private Key manually to the certificate. The following manual describes the procedure for: Pairing an existing private key to a new certificate

Exchange 2007 shows the error message "Cannot import as there is already a certificate with thumbprint ..."

When installing a new certificate on Exchange 2007, the Exchange Management Console could return the error that importing is not posible since there is a different certificate installed with the same thumbprint. This error may occur when the Certificate Store got corrupted; it is common on Exchange 2007 this error will occur without any reason. The problem can be circumvented by recovering the Certificate Store. After recovery this issue should no longer occur. This problem can be solved by following this manual.

Windows shows the error message "this file is invalid for use as the following: Security Certificate"

This message will be shown when trying to open a certificate file, while Windows does not recognize the filetype. This problem can be solved by renaming the .cer file-extension to .p7b.

Apache returns Private key mismatch error "X509_check_private_key:key values mismatch"

This error is shown in the logs and active shell when the private key and the received SSL certificate do not match. When the required private key cannot be found, you should create a new private key and CSR with OpenSSL. The resulting CSR can be used to request a reissue of your certificate.

Installing SSLdiag

Many SSL related problems on IIS & Exchange can be identified by using SSL Diagnostics. You can download SSL Diagnostics here. By running the application an overview of the SSL related settings will be created. The results will often show what causes the problem(s).

Checking Logfiles

Apache normally keeps detailed log files; here you should be able to see messages that might lead to the source of the issue. The logfiles can normally be found in /var/log/httpd/or var/log/apache2/; depending on the type of Host OS. The Apache webserver website has a list with the most common error messages.

Other solutions

When the shown error cannot be found here, we suggest that you have a look at our knowledgebase; here you can find answers to to most common issues. When the solution cannot be found in our knowledgebase either, you could select (a part off) the error, and search on that on Google. You are likely to see more people mentioning the same problem, with possible solutions.

Contact us

Couldn't fix the problem yourself? We're happy to help via support@xolphin.com. Please describe your problem as detailed as possible, with all relevant information like: software versions, the SSLDiag output, screenshots and logs. We'll get back to you as soon as possible.