Only took a couple quick searches Googling with Bing, but in IIS 7 if you create a
request for a certificate, create it by a CA and then complete the request, and find
it blows up with this message box:
CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b
(ASN: 267)
All it means is that the CA that issued the certificate isn’t trusted on the server.
I came across this in a test environment I was building. I had a Domain with
CA Services, and a server that existed outside the domain. I used the domain
CA to create the certificate, but because the web server wasn’t part of the domain,
it didn’t trust the CA.
My fix was to add the CA as a trusted Root Authority on the web server.