Webinar: PKI Insights - The Most Common Misconfigurations in Today's PKI
Schedule a Demo
Blog August 2, 2019 Bugs, Certificate Requests, Certificates, Certreq

You cannot submit a certificate request generated by Exchange Management Console (EMC) or Exchange Management Shell (EMS) to CA

by Vadims Podāns
As part of joining PKI Solutions, several blog posts from my old site are re-posted here for visibility and thoroughness.

You create certificate certificate by using either Exchange Management Console (EMC) or Exchange Management Shell (EMS) and save it to a file. When you attempt to submit certificate request to a Windows-based Certification Authority (CA) (also known as Microsoft Certificate Services), you may receive error message. If CA server runs on Windows Server 2003 (R2) or Windows Server 2008, you receive the following message:

ASN1 bad tag value met. 0x8009310b (ASN: 267).

If CA server runs on Windows Server 2008 R2, no there are no response from MMC console. If you are using certreq.exe utility, you receive an error:

Contoso Pharmaceuticals Enrollment Policy
Certificate not issued (Incomplete)

And certificate request is not issued, failed or pended.

Additional information: for certificate request generation follow the steps described in the  Create a New Exchange Certificate TechNet article.

Aside note: certificate request do not contains certificate template information which is required for Enterprise CAs. In order to submit the request to Enteprise CA you should use certreq.exe utility with the following syntax:

certreq –submit –attrib "CertificateTemplate:TemplateCommonName"

this command will add certificate template information as a attribute.


This behavior occurs when certificate request is stored in a file in Unicode encoding. Microsoft Certificate Services do not support Unicode-encoded files request files. Only ANSI encoding is supported.


Microsoft has confirmed this behavior as inconsistent. No bug fixes are available. See Workaround section for example steps to overcome the issue.


  1. If you already have certificate request file, do the following:
    • Open Notepad program.
    • In the File menu, click Open.
    • In the Open File dialog, locate certificate request file.
    • In the File menu, click Save As… option.
    • Type a name for new request file. In the Encoding drop-down list, select ANSI.
    • Click Save to save the request.
    • Now you can resubmit certificate request to Microsoft Certificate Services
  2. If you are using Exchange Management Shell use the following guidance to save Base64-encoded certificate request to a file with proper encoding:

In the Exchange Management Shell console run New-ExchangeCertificate cmdlet with required parameters, save output to a variable and save output to a file with proper encoding:

$OutputRequest = New-ExchangeCertificate <Specify and fill all required properties> Set-Content -Path Path\ExchRequest.req -Value $OutputRequest -Encoding ANSI

The default behavior for PowerShell Set-ContentAdd-ContentOut-File and redirection operator “>” is to save content in Unicode encoding. If the file already exist, the commands respects existing file encoding. The default encoding can be changed by using –Encoding parameter for cmdlets.

Redirection operators in PowerShell do not support encoding change.


  • Windows Server 2003 (x86 and x64) Standard, Enterprise and Datacenter editions, all service packs
  • Windows Server 2003 (x86 and x64) R2 Standard, Enterprise and Datacenter editions, all service packs
  • Windows Server 2008 (x86 and x64) Standard, Enterprise and Datacenter editions, all service packs
  • Windows Server 2008 R2 Standard, Enterprise and Datacenter editions, all service packs
  • Active Directory Certificate Services
  • Microsoft Exchange Server 2007
  • Microsoft Exchange Server 2010

Related Resources

  • Blog
    March 7, 2024

    PKI Insights – Avoiding PenTest Pitfalls

    Certificates, PKI, PKI Insights
  • Blog People sitting in a large room full of computers
    March 7, 2024

    Why you are getting it wrong with Certificate Lifecycle Management

    Certificate Management, Certificates, CLM
  • Blog
    February 6, 2024

    PKI Insights Recap – Microsoft Intune Cloud PKI

    BYOD, Certificates, Cloud, Enrollment, NDES

Vadims Podāns

PKI Software Architect

View All Posts by Vadims Podāns


Leave a Reply

Your email address will not be published. Required fields are marked *