A fatal error occurred when attempting to access the SSL server credential private key: 0x8009030d

Published Nov 16 2018 06:57 AM 36.9K Views
Microsoft
First published on MSDN on Apr 28, 2017
Recently, I have assisted a Premier customer who installed a new certificate on Windows Server 2008 R2 but was unable to bind the certificate to the Website hosted on IIS. 7.5. This is the error we were getting:

A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001

Log Name:     System
Source:       Schannel
Date:         7/2/2016 9:52:25 AM
Event ID:     36870
Task Category: None
Level:         Error
Keywords:
User:         SYSTEM
Computer:     MyComp.Mydomain.com
Description: A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.

The error indicates that IIS is not able to access the certificate's private key.

Steps we took to fix the issue:

  • Resolution:

    • Contact your certificate vendor for a certificate with private key. Import the cert and do the binding in IIS.



  • Temporary Workaround:

    • Assuming this is a valid certificate, verify that the certificate includes a private key. Double clicking the certificate in certificate manager (Certificate store) should say "You have a private key that corresponds to this certificate":










  • Now do the binding in IIS.

3 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-287847%22%20slang%3D%22en-US%22%3EA%20fatal%20error%20occurred%20when%20attempting%20to%20access%20the%20SSL%20server%20credential%20private%20key%3A%200x8009030d%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-287847%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3EFirst%20published%20on%20MSDN%20on%20Apr%2028%2C%202017%20%3C%2FSTRONG%3E%3CBR%20%2F%3ERecently%2C%20I%20have%20assisted%20a%20Premier%20customer%20who%20installed%20a%20new%20certificate%20on%20Windows%20Server%202008%20R2%20but%20was%20unable%20to%20bind%20the%20certificate%20to%20the%20Website%20hosted%20on%20IIS.%207.5.%20This%20is%20the%20error%20we%20were%20getting%3A%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3CB%3E%3CI%3EA%20fatal%20error%20occurred%20when%20attempting%20to%20access%20the%20SSL%20server%20credential%20private%20key.%20The%20error%20code%20returned%20from%20the%20cryptographic%20module%20is%200x8009030d.%20The%20internal%20error%20state%20is%2010001%20%3C%2FI%3E%3C%2FB%3E%3CBR%20%2F%3E%3CBR%20%2F%3ELog%20Name%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20System%20%3CBR%20%2F%3ESource%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Schannel%20%3CBR%20%2F%3EDate%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%207%2F2%2F2016%209%3A52%3A25%20AM%20%3CBR%20%2F%3EEvent%20ID%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2036870%20%3CBR%20%2F%3ETask%20Category%3A%20None%20%3CBR%20%2F%3ELevel%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Error%20%3CBR%20%2F%3EKeywords%3A%20%3CBR%20%2F%3EUser%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20SYSTEM%20%3CBR%20%2F%3EComputer%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20MyComp.Mydomain.com%20%3CBR%20%2F%3EDescription%3A%20%3CEM%3EA%20fatal%20error%20occurred%20when%20attempting%20to%20access%20the%20SSL%20server%20credential%20private%20key.%20The%20error%20code%20returned%20from%20the%20cryptographic%20module%20is%200x8009030D.%20The%20internal%20error%20state%20is%2010001.%20%3C%2FEM%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20The%20error%20indicates%20that%20IIS%20is%20not%20able%20to%20access%20the%20certificate's%20private%20key.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Steps%26nbsp%3Bwe%20took%20to%26nbsp%3Bfix%20the%20issue%3A%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3EResolution%3A%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3EContact%20your%20certificate%20vendor%20for%20a%20certificate%20with%20private%20key.%20Import%20the%20cert%20and%20do%20the%20binding%20in%20IIS.%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3ETemporary%20Workaround%3A%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3EAssuming%20this%20is%20a%20valid%20certificate%2C%20verify%20that%20the%20certificate%20includes%20a%20private%20key.%20Double%20clicking%20the%20certificate%20in%20certificate%20manager%20(Certificate%20store)%20should%20say%20%22You%20have%20a%20private%20key%20that%20corresponds%20to%20this%20certificate%22%3A%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%20%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F60052iCC2486F05ADE2490%22%20%2F%3E%20%3CA%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2F2017%2F04%2FUntitled.jpg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%20%3C%2FA%3E%20%3CA%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2F2017%2F04%2FUntitled.jpg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%20%3C%2FA%3E%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fcc754329(v%3Dws.11).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EExport%20certificate%20%3C%2FA%3Ewith%20its%20private%20key%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%20%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F60053i16304CA54041D84F%22%20%2F%3E%20%3CA%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2F2017%2F04%2FCapture2.jpg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%20%3C%2FA%3E%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3ENow%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fcc754489(v%3Dws.11).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ere-imported%20%3C%2FA%3Eusing%20the%20%22Mark%20the%20private%20key%20exportable%22.%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%20%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F60054i49A7BCAB85E1772A%22%20%2F%3E%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3ENow%20do%20the%20binding%20in%20IIS.%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%0A%20%0A%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-287847%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20MSDN%20on%20Apr%2028%2C%202017%20Recently%2C%20I%20have%20assisted%20a%20Premier%20customer%20who%20installed%20a%20new%20certificate%20on%20Windows%20Server%202008%20R2%20but%20was%20unable%20to%20bind%20the%20certificate%20to%20the%20Website%20hosted%20on%20IIS.%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-287847%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ecertificate%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ehttp%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIIS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eschannel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESSL%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Etls%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWeb%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1505520%22%20slang%3D%22en-US%22%3ERe%3A%20A%20fatal%20error%20occurred%20when%20attempting%20to%20access%20the%20SSL%20server%20credential%20private%20key%3A%200x800903%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1505520%22%20slang%3D%22en-US%22%3E%3CP%3EI%20know%20it's%20been%20a%20couple%20of%20years%2C%20but%20...%20could%20someone%20explain%20WHY%20the%20temporary%20workaround%20works%3F%26nbsp%3B%20I've%20encountered%20this%20same%20error%20when%20calling%20AcquireCredentialsHandle%20in%20a%20Secure%20Channel%20app.%26nbsp%3B%20The%20workaround%20worked%2C%20but%20I've%20had%20to%20perform%20it%20several%20times%20...%20would%20like%20to%20know%20what's%20going%20on%20there%20technically.%26nbsp%3B%20Thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1617809%22%20slang%3D%22en-US%22%3ERe%3A%20A%20fatal%20error%20occurred%20when%20attempting%20to%20access%20the%20SSL%20server%20credential%20private%20key%3A%200x800903%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1617809%22%20slang%3D%22en-US%22%3E%3CP%3ENice%20article%2C%20wondering%2C%20how%20does%20one%20determine%20if%20private%20key%20is%20already%20supplied%20by%20CA%20%3F%20My%20limited%20understanding%20tells%20me%20Private%20key%20is%20not%20asked%20by%20CA%20and%20is%20saved%20in%20safe%20location%20on%20Windows%20Server.%20Private%20key%20associates%20itself%20with%20CA%20supplied%20certificate%20when%20installing%20the%20certificate%20on%20its%20own%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2109607%22%20slang%3D%22en-US%22%3ERe%3A%20A%20fatal%20error%20occurred%20when%20attempting%20to%20access%20the%20SSL%20server%20credential%20private%20key%3A%200x800903%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2109607%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F774186%22%20target%3D%22_blank%22%3E%40smallfish%3C%2FA%3E%26nbsp%3B%2C%3CBR%20%2F%3E%3CBR%20%2F%3EOne%20easy%20method%20to%20identify%20if%20the%20certificate%20you%20have%20is%20associated%20with%20a%20Private%20Key%20is%20to%20open%20the%20certificate%20and%20check%20for%20the%20below%20mention%20under%20the%20General%20tab%20of%20the%20certificate.%20This%20will%20be%20present%20right%20below%20the%20Valid%20From%20section%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22SUMANA_MAJUMDER_0-1611956119152.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250674iE4EC1B14698CAE15%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22SUMANA_MAJUMDER_0-1611956119152.png%22%20alt%3D%22SUMANA_MAJUMDER_0-1611956119152.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnother%20easy%20method%20is%20to%20check%20the%20extension%20of%20the%20certificate%20file%20that%20you%20have.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3ECertificates%20can%20have%20any%20one%20of%20the%20below%20extensions%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRONG%3E*.PFX%20or%20*.P12%26nbsp%3B%20-%26nbsp%3B%20Personal%20Information%20Exchange%20Format-%20%3C%2FSTRONG%3EThis%20format%20s%3CSPAN%3Eupports%20storage%20of%20private%20and%20public%20keys%20and%20all%20certificates%20in%20the%20path.%26nbsp%3B%3C%2FSPAN%3E%3CBR%20%2F%3ECertificates%20with%20private%20keys%20would%20have%20the%20.PFX%20or%20.P12%20format.%3CBR%20%2F%3E%3CSTRONG%3E*.CER%20or%20*.CRT%26nbsp%3B%20-%26nbsp%3B%20Base64-encoded%20or%20DER-encoded%20binary%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EX.509%20Certificate%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSPAN%3EThis%20format%20does%20not%20support%20storage%20of%20private%20keys.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E*.PEM%20-%26nbsp%3B%3C%2FSTRONG%3E%3CSPAN%3E%3CSTRONG%3EPrivacy%20Enhanced%20Mail%3C%2FSTRONG%3E%3CBR%20%2F%3E%3C%2FSPAN%3EThis%20is%26nbsp%3B%3CSPAN%3EX.%20509%26nbsp%3B%3C%2FSPAN%3Ecertificate%3CSPAN%3E%26nbsp%3Bencoded%20in%20text%20(base64%20and%20encrypted).%20This%20is%20similar%20to%20the%20.CER%20extension.%20This%20extension%20is%20also%20provided%20as%20some%20software%20needs%20a%20.PEM%20cert%20file.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSTRONG%3E*.CRL%26nbsp%3B%20-%26nbsp%3B%20Certificate%20Revocation%20List%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSPAN%3EDesignates%20a%20certificate%20that%20has%20been%20revoked.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSTRONG%3E*.CSR%26nbsp%3B%20-%26nbsp%3B%20Certificate%20Signing%20Request%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSPAN%3EThis%20file%20type%20is%20issued%20by%20applications%20to%20submit%20requests%20to%20a%20Certification%20Authority%20or%20CA.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSTRONG%3E*.DER%20-%20DER-encoded%20binary%20X.509%20Certificate%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSPAN%3EStorage%20of%20a%20single%20certificate.%26nbsp%3B%20This%20format%20does%20not%20support%20storage%20of%20private%20keys.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSTRONG%3E*.P7B%20or%20*.P7R%20or%20*.SPC%26nbsp%3B%20-%26nbsp%3B%20Cryptographic%20Message%20Syntax%20Standard%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSPAN%3ESupports%20storage%20of%20all%20certificates%20in%20path%20and%20does%20not%20store%20private%20keys.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3EAlso%2C%20there%20are%20two%20ways%20in%20which%20certificate%20Authority%20can%20provide%20you%20the%20private%20key%20associated%20certificate.%20They%20can%20either%20provide%20the%20certificate%20in%20.PFX%20format%20directly%20(which%20means%20certificate%20is%20already%20bound%20with%20private%20key)%20or%20they%20can%20provide%20you%20the%20certificate%20and%20the%20key%20file%20separately%20(in%20this%20scenario%2C%20the%20certificate%20file%20will%20be%20in%20either%20of%20the%20formats-%20.cer%2C%20.crt.%20.pem%2C%20.p7b%2C%20etc.).%3CBR%20%2F%3EThere%20are%20multiple%20tools%20available%20which%20can%20be%20then%20used%20to%20bind%20the%20certificate%20with%20the%20provided%20key%2C%20to%20create%20a%20PFX%20file.%20One%20such%20open%20source%20tool%20which%20can%20be%20used%20is%20Open%20SSL.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2113511%22%20slang%3D%22en-US%22%3ERe%3A%20A%20fatal%20error%20occurred%20when%20attempting%20to%20access%20the%20SSL%20server%20credential%20private%20key%3A%200x800903%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2113511%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EThank%20you%20Sumana%20Majumdar%2C%20Yes%2C%20it%20is%20now%20understood%20whether%20you%20see%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3Ethe%20private%20key%20icon%20will%20depend%20on%20type%20of%20certificate%20supplied%20by%20CA%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3Eor%20what%20type%20of%20certificate%20is%20downloaded.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EHowever%2C%20I%20also%20like%20to%20add%2C%20if%20you%20do%20see%20a%20certificate%20type%20which%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3Edoes%20not%20show%20a%20private%20key%20icon%20which%20as%20stated%20above%20will%20depend%20on%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3Etype%20of%20certificate%20on%20hand%2C%20you%20could%20for%20instance%20still%20go%20ahead%20and%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3Einstall%20the%20certificate%20in%20personal%20store%20or%20other%20store%20of%20your%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3Echoice%20and%20then%20examining%20the%20store%20should%20show%20the%20key%20icon%20if%20the%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3Eprivate%20key%20is%20bound%20to%20the%20certificate%20along%20with%20information%20like%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3Ewho%20issued%20the%20certificate%20to%20whom%20the%20certificate%20was%20issued%20and%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3Evalidity.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Nov 16 2018 06:57 AM
Updated by: