%3CLINGO-SUB%20id%3D%22lingo-sub-287847%22%20slang%3D%22en-US%22%3EA%20fatal%20error%20occurred%20when%20attempting%20to%20access%20the%20SSL%20server%20credential%20private%20key%3A%200x8009030d%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-287847%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3EFirst%20published%20on%20MSDN%20on%20Apr%2028%2C%202017%20%3C%2FSTRONG%3E%3CBR%20%2F%3ERecently%2C%20I%20have%20assisted%20a%20Premier%20customer%20who%20installed%20a%20new%20certificate%20on%20Windows%20Server%202008%20R2%20but%20was%20unable%20to%20bind%20the%20certificate%20to%20the%20Website%20hosted%20on%20IIS.%207.5.%20This%20is%20the%20error%20we%20were%20getting%3A%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3CB%3E%3CI%3EA%20fatal%20error%20occurred%20when%20attempting%20to%20access%20the%20SSL%20server%20credential%20private%20key.%20The%20error%20code%20returned%20from%20the%20cryptographic%20module%20is%200x8009030d.%20The%20internal%20error%20state%20is%2010001%20%3C%2FI%3E%3C%2FB%3E%3CBR%20%2F%3E%3CBR%20%2F%3ELog%20Name%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20System%20%3CBR%20%2F%3ESource%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Schannel%20%3CBR%20%2F%3EDate%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%207%2F2%2F2016%209%3A52%3A25%20AM%20%3CBR%20%2F%3EEvent%20ID%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2036870%20%3CBR%20%2F%3ETask%20Category%3A%20None%20%3CBR%20%2F%3ELevel%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Error%20%3CBR%20%2F%3EKeywords%3A%20%3CBR%20%2F%3EUser%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20SYSTEM%20%3CBR%20%2F%3EComputer%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20MyComp.Mydomain.com%20%3CBR%20%2F%3EDescription%3A%20%3CEM%3EA%20fatal%20error%20occurred%20when%20attempting%20to%20access%20the%20SSL%20server%20credential%20private%20key.%20The%20error%20code%20returned%20from%20the%20cryptographic%20module%20is%200x8009030D.%20The%20internal%20error%20state%20is%2010001.%20%3C%2FEM%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20The%20error%20indicates%20that%20IIS%20is%20not%20able%20to%20access%20the%20certificate's%20private%20key.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Steps%26nbsp%3Bwe%20took%20to%26nbsp%3Bfix%20the%20issue%3A%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3EResolution%3A%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3EContact%20your%20certificate%20vendor%20for%20a%20certificate%20with%20private%20key.%20Import%20the%20cert%20and%20do%20the%20binding%20in%20IIS.%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3ETemporary%20Workaround%3A%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3EAssuming%20this%20is%20a%20valid%20certificate%2C%20verify%20that%20the%20certificate%20includes%20a%20private%20key.%20Double%20clicking%20the%20certificate%20in%20certificate%20manager%20(Certificate%20store)%20should%20say%20%22You%20have%20a%20private%20key%20that%20corresponds%20to%20this%20certificate%22%3A%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%20%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F60052iCC2486F05ADE2490%22%20%2F%3E%20%3CA%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2F2017%2F04%2FUntitled.jpg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20%3C%2FA%3E%20%3CA%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2F2017%2F04%2FUntitled.jpg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20%3C%2FA%3E%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fcc754329(v%3Dws.11).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EExport%20certificate%20%3C%2FA%3Ewith%20its%20private%20key%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%20%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F60053i16304CA54041D84F%22%20%2F%3E%20%3CA%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2F2017%2F04%2FCapture2.jpg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20%3C%2FA%3E%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3ENow%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fcc754489(v%3Dws.11).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ere-imported%20%3C%2FA%3Eusing%20the%20%22Mark%20the%20private%20key%20exportable%22.%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%20%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F60054i49A7BCAB85E1772A%22%20%2F%3E%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3ENow%20do%20the%20binding%20in%20IIS.%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%0A%20%0A%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-287847%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20MSDN%20on%20Apr%2028%2C%202017%20Recently%2C%20I%20have%20assisted%20a%20Premier%20customer%20who%20installed%20a%20new%20certificate%20on%20Windows%20Server%202008%20R2%20but%20was%20unable%20to%20bind%20the%20certificate%20to%20the%20Website%20hosted%20on%20IIS.%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-287847%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ecertificate%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ehttp%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIIS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eschannel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESSL%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Etls%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWeb%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1505520%22%20slang%3D%22en-US%22%3ERe%3A%20A%20fatal%20error%20occurred%20when%20attempting%20to%20access%20the%20SSL%20server%20credential%20private%20key%3A%200x800903%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1505520%22%20slang%3D%22en-US%22%3E%3CP%3EI%20know%20it's%20been%20a%20couple%20of%20years%2C%20but%20...%20could%20someone%20explain%20WHY%20the%20temporary%20workaround%20works%3F%26nbsp%3B%20I've%20encountered%20this%20same%20error%20when%20calling%20AcquireCredentialsHandle%20in%20a%20Secure%20Channel%20app.%26nbsp%3B%20The%20workaround%20worked%2C%20but%20I've%20had%20to%20perform%20it%20several%20times%20...%20would%20like%20to%20know%20what's%20going%20on%20there%20technically.%26nbsp%3B%20Thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1617809%22%20slang%3D%22en-US%22%3ERe%3A%20A%20fatal%20error%20occurred%20when%20attempting%20to%20access%20the%20SSL%20server%20credential%20private%20key%3A%200x800903%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1617809%22%20slang%3D%22en-US%22%3E%3CP%3ENice%20article%2C%20wondering%2C%20how%20does%20one%20determine%20if%20private%20key%20is%20already%20supplied%20by%20CA%20%3F%20My%20limited%20understanding%20tells%20me%20Private%20key%20is%20not%20asked%20by%20CA%20and%20is%20saved%20in%20safe%20location%20on%20Windows%20Server.%20Private%20key%20associates%20itself%20with%20CA%20supplied%20certificate%20when%20installing%20the%20certificate%20on%20its%20own%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft
First published on MSDN on Apr 28, 2017
Recently, I have assisted a Premier customer who installed a new certificate on Windows Server 2008 R2 but was unable to bind the certificate to the Website hosted on IIS. 7.5. This is the error we were getting:

A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001

Log Name:     System
Source:       Schannel
Date:         7/2/2016 9:52:25 AM
Event ID:     36870
Task Category: None
Level:         Error
Keywords:
User:         SYSTEM
Computer:     MyComp.Mydomain.com
Description: A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.

The error indicates that IIS is not able to access the certificate's private key.

Steps we took to fix the issue:

  • Resolution:

    • Contact your certificate vendor for a certificate with private key. Import the cert and do the binding in IIS.



  • Temporary Workaround:

    • Assuming this is a valid certificate, verify that the certificate includes a private key. Double clicking the certificate in certificate manager (Certificate store) should say "You have a private key that corresponds to this certificate":










  • Now do the binding in IIS.

2 Comments
Occasional Visitor

I know it's been a couple of years, but ... could someone explain WHY the temporary workaround works?  I've encountered this same error when calling AcquireCredentialsHandle in a Secure Channel app.  The workaround worked, but I've had to perform it several times ... would like to know what's going on there technically.  Thanks.

Occasional Visitor

Nice article, wondering, how does one determine if private key is already supplied by CA ? My limited understanding tells me Private key is not asked by CA and is saved in safe location on Windows Server. Private key associates itself with CA supplied certificate when installing the certificate on its own?