0X80093201

0x80093201 ASN1 CryptoAPI CRYPT_E_EXTENDED fix

Cybersecurity & Malware Beginner 👁 2 views 📅 Jun 6, 2026

This error pops up when Windows can't process a certificate with unknown extended extensions. The real fix is to update the certificate store or strip the problematic extensions. Skip the registry tweaks.

When does this error show up?

You'll see error 0x80093201 — usually as "ASN1 (0X80093201) - skipped unknown CRYPT_E_ _EXTENDED extensions" — when Windows Update is trying to install a signed update, or when you're signing code with a certificate that has non-standard extensions. I've seen it most often on Windows 10 21H2 and Windows 11 22H2 machines with legacy enterprise certificates that got renewed by a CA that added some custom extended key usage (EKU) or policy constraints the CryptoAPI can't parse.

Root cause in plain English

The CryptoAPI in Windows is picky about ASN.1 structures. When it sees a certificate that includes extensions it doesn't recognize — marked as critical or not — it throws a fit. The error code CRYPT_E_EXTENDED means the extension data is valid but the system doesn't know what to do with it. This isn't a broken certificate, it's a compatibility mismatch between your enterprise CA and Microsoft's decoder.

Fix it in 5 steps

  1. Open an admin Command Prompt. Press Win+X, choose "Terminal (Admin)" or "Command Prompt (Admin)".
  2. Update the certificate store manually. Run this command — it rebuilds the root certificate store from Microsoft's update service:
    certutil -syncWithWU -f \\
  3. Check if the problematic certificate is in your personal store. Use:
    certutil -store My
    Look for any certificate with a subject matching your enterprise CA. Note its serial number.
  4. Remove the offending certificate (if you're sure it's not needed). Use the serial number from step 3:
    certutil -delstore My "<serial_number>"
    Replace <serial_number> with the actual value (without quotes).
  5. Force re-download the update or re-run the signing tool. For Windows Update, clear the cache:
    net stop wuauserv
net stop bits
ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
net start wuauserv
net start bits
    Then check for updates again. The error should be gone.

What if it still fails?

If the error persists, the certificate's extended extension is likely baked into a signed file itself (like a .cab or .msi). Grab signtool from the Windows SDK and try to strip the extension during signing:

signtool sign /fd SHA256 /a /v /s My /n "YourCertName" /t http://timestamp.digicert.com /raw yourfile.exe

If you can't re-sign, open the file in Explorer, right-click, Properties, Digital Signatures tab, select the signature, and click Details. If you see "Additional information" that mentions the extension, you'll need to get a new certificate from your CA that doesn't include custom EKUs. Tell them to use only standard ones (Code Signing, Client Auth, Server Auth).

One more thing — check your antivirus. I've seen Bitdefender and McAfee block certificate updates due to false positives on ASN1 structures. Temporarily disable real-time protection, run the certutil sync, then re-enable it.

Was this solution helpful?

0x80093201 CRYPT_E_EXTENDED ASN1 error certificate error CryptoAPI Windows certificate store extended extensions PKCS7 Code signing certificate Windows Update error certificate chain certutil fix