CERT_E_PURPOSE (0X800B0106): Quick Fixes for Certificate Purpose Errors

1. The Certificate's Key Usage Doesn't Match What You're Trying to Do

This is the culprit in about 70% of cases. The certificate was issued with specific Key Usage or Extended Key Usage (EKU) extensions, and your application is trying to use it for something completely different. Think of it like trying to unlock your car with your house key — it's not gonna work.

Real-world trigger: You're trying to sign a PowerShell script with a certificate that only has "Server Authentication" in its EKU. Or you're trying to set up IIS with a code-signing cert. The OS catches this mismatch and throws 0X800B0106.

The fix:

1. Open the certificate. Double-click it in MMC or Cert Manager.
2. Go to the Details tab.
3. Look for Key Usage and Extended Key Usage. If it says "Server Authentication" only, you can't use it for code signing or email encryption. Period.
4. You need a cert with the right EKU. For code signing, you need 1.3.6.1.5.5.7.3.3. For server auth, 1.3.6.1.5.5.7.3.1. For email, 1.3.6.1.5.5.7.3.4.

If you're stuck and can't get a new cert, you can sometimes work around this by creating an SSL/TLS listener with netsh and binding the cert that way — but that's a hack, not a fix. Don't do it in production.

2. Intermediate or Root CA Certificates Are Missing or Wrong

This is the second most common reason. The certificate itself might be fine, but the trust chain is broken. Windows can't verify the certificate's purpose because it can't build the chain up to a trusted root.

Real-world trigger: You imported a certificate from a partner company, but they didn't include the intermediate CA. Or you're using a self-signed CA root that isn't in the Trusted Root Certification Authorities store.

The fix:

1. Run certlm.msc (for local machine) or certmgr.msc (for current user).
2. Find your certificate in Personal > Certificates. Double-click it.
3. Go to the Certification Path tab. This shows you the chain. If any cert in the chain has a red X, that's your problem.
4. Missing intermediate CA? Download the .cer file from the issuing CA and import it into Intermediate Certification Authorities > Certificates.
5. Missing root CA? Import the root cert into Trusted Root Certification Authorities > Certificates.

Pro tip: Don't just blindly trust .cer files from emails. Verify the thumbprint against the CA's official documentation. I've seen shady certs planted this way.

3. The Certificate Has Expired or Is Revoked

Obvious one, but people miss it because they check the date and think "oh, it's still valid." The error doesn't always say "expired" — sometimes it throws 0X800B0106 because the CRL (Certificate Revocation List) check fails and Windows can't determine if the cert is still good for that purpose.

Real-world trigger: You're using a certificate that was valid for code signing last week, but the CA revoked it because the private key was compromised. Windows checks CRL, finds the revocation, and the OS blocks the usage — even if the cert hasn't technically expired.

The fix:

1. Check the Valid from and Valid to dates on the certificate's General tab. If it's expired, request a new one.
2. Right-click the certificate and select Properties > Enable all purposes for this certificate. This overrides EKU restrictions. Use this only for testing — don't do this in production.
3. If you suspect revocation, run certutil -verify [certificate.cer]. This shows you the full CRL chain. A status of "CERT_E_REVOKED" means get a new cert.

One more thing: if your CA is offline and the CRL distribution point is unreachable, Windows can delay the check but may still fail. Set the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config and add a DWORD EnableDisableCertChainUrlRetrievalTimeout with value 1 to increase timeout. Rarely needed but saved me once.

Quick-Reference Summary