%3CLINGO-SUB%20id%3D%22lingo-sub-287847%22%20slang%3D%22en-US%22%3EA%20fatal%20error%20occurred%20when%20attempting%20to%20access%20the%20SSL%20server%20credential%20private%20key%3A%200x8009030d%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-287847%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3EFirst%20published%20on%20MSDN%20on%20Apr%2028%2C%202017%20%3C%2FSTRONG%3E%3CBR%20%2F%3ERecently%2C%20I%20have%20assisted%20a%20Premier%20customer%20who%20installed%20a%20new%20certificate%20on%20Windows%20Server%202008%20R2%20but%20was%20unable%20to%20bind%20the%20certificate%20to%20the%20Website%20hosted%20on%20IIS.%207.5.%20This%20is%20the%20error%20we%20were%20getting%3A%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3CB%3E%3CI%3EA%20fatal%20error%20occurred%20when%20attempting%20to%20access%20the%20SSL%20server%20credential%20private%20key.%20The%20error%20code%20returned%20from%20the%20cryptographic%20module%20is%200x8009030d.%20The%20internal%20error%20state%20is%2010001%20%3C%2FI%3E%3C%2FB%3E%3CBR%20%2F%3E%3CBR%20%2F%3ELog%20Name%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20System%20%3CBR%20%2F%3ESource%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Schannel%20%3CBR%20%2F%3EDate%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%207%2F2%2F2016%209%3A52%3A25%20AM%20%3CBR%20%2F%3EEvent%20ID%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2036870%20%3CBR%20%2F%3ETask%20Category%3A%20None%20%3CBR%20%2F%3ELevel%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Error%20%3CBR%20%2F%3EKeywords%3A%20%3CBR%20%2F%3EUser%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20SYSTEM%20%3CBR%20%2F%3EComputer%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20MyComp.Mydomain.com%20%3CBR%20%2F%3EDescription%3A%20%3CEM%3EA%20fatal%20error%20occurred%20when%20attempting%20to%20access%20the%20SSL%20server%20credential%20private%20key.%20The%20error%20code%20returned%20from%20the%20cryptographic%20module%20is%200x8009030D.%20The%20internal%20error%20state%20is%2010001.%20%3C%2FEM%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20The%20error%20indicates%20that%20IIS%20is%20not%20able%20to%20access%20the%20certificate's%20private%20key.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Steps%26nbsp%3Bwe%20took%20to%26nbsp%3Bfix%20the%20issue%3A%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3EResolution%3A%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3EContact%20your%20certificate%20vendor%20for%20a%20certificate%20with%20private%20key.%20Import%20the%20cert%20and%20do%20the%20binding%20in%20IIS.%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3ETemporary%20Workaround%3A%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3EAssuming%20this%20is%20a%20valid%20certificate%2C%20verify%20that%20the%20certificate%20includes%20a%20private%20key.%20Double%20clicking%20the%20certificate%20in%20certificate%20manager%20(Certificate%20store)%20should%20say%20%22You%20have%20a%20private%20key%20that%20corresponds%20to%20this%20certificate%22%3A%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%20%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F60052iCC2486F05ADE2490%22%20%2F%3E%20%3CA%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2F2017%2F04%2FUntitled.jpg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20%3C%2FA%3E%20%3CA%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2F2017%2F04%2FUntitled.jpg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20%3C%2FA%3E%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fcc754329(v%3Dws.11).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EExport%20certificate%20%3C%2FA%3Ewith%20its%20private%20key%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%20%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F60053i16304CA54041D84F%22%20%2F%3E%20%3CA%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2F2017%2F04%2FCapture2.jpg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20%3C%2FA%3E%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3ENow%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fcc754489(v%3Dws.11).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ere-imported%20%3C%2FA%3Eusing%20the%20%22Mark%20the%20private%20key%20exportable%22.%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%20%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F60054i49A7BCAB85E1772A%22%20%2F%3E%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3ENow%20do%20the%20binding%20in%20IIS.%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%0A%20%0A%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-287847%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20MSDN%20on%20Apr%2028%2C%202017%20Recently%2C%20I%20have%20assisted%20a%20Premier%20customer%20who%20installed%20a%20new%20certificate%20on%20Windows%20Server%202008%20R2%20but%20was%20unable%20to%20bind%20the%20certificate%20to%20the%20Website%20hosted%20on%20IIS.%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-287847%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ecertificate%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ehttp%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIIS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eschannel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESSL%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Etls%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWeb%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1505520%22%20slang%3D%22en-US%22%3ERe%3A%20A%20fatal%20error%20occurred%20when%20attempting%20to%20access%20the%20SSL%20server%20credential%20private%20key%3A%200x800903%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1505520%22%20slang%3D%22en-US%22%3E%3CP%3EI%20know%20it's%20been%20a%20couple%20of%20years%2C%20but%20...%20could%20someone%20explain%20WHY%20the%20temporary%20workaround%20works%3F%26nbsp%3B%20I've%20encountered%20this%20same%20error%20when%20calling%20AcquireCredentialsHandle%20in%20a%20Secure%20Channel%20app.%26nbsp%3B%20The%20workaround%20worked%2C%20but%20I've%20had%20to%20perform%20it%20several%20times%20...%20would%20like%20to%20know%20what's%20going%20on%20there%20technically.%26nbsp%3B%20Thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft
First published on MSDN on Apr 28, 2017
Recently, I have assisted a Premier customer who installed a new certificate on Windows Server 2008 R2 but was unable to bind the certificate to the Website hosted on IIS. 7.5. This is the error we were getting:

A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001

Log Name:     System
Source:       Schannel
Date:         7/2/2016 9:52:25 AM
Event ID:     36870
Task Category: None
Level:         Error
Keywords:
User:         SYSTEM
Computer:     MyComp.Mydomain.com
Description: A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.

The error indicates that IIS is not able to access the certificate's private key.

Steps we took to fix the issue:

  • Resolution:

    • Contact your certificate vendor for a certificate with private key. Import the cert and do the binding in IIS.



  • Temporary Workaround:

    • Assuming this is a valid certificate, verify that the certificate includes a private key. Double clicking the certificate in certificate manager (Certificate store) should say "You have a private key that corresponds to this certificate":










  • Now do the binding in IIS.

1 Comment
Occasional Visitor

I know it's been a couple of years, but ... could someone explain WHY the temporary workaround works?  I've encountered this same error when calling AcquireCredentialsHandle in a Secure Channel app.  The workaround worked, but I've had to perform it several times ... would like to know what's going on there technically.  Thanks.