Decrypting .p7b files fails with ASN1 bad args error 0x80093109
This error pops up when Windows can't parse a PKCS#7 .p7b file due to malformed ASN.1 encoding. Usually caused by a corrupted download or a non-standard encoding scheme.
When this error hits
You're working with a PKCS#7 signed file — usually a .p7b certificate bundle — and you try to decrypt or verify it using PowerShell's Get-PfxCertificate, the MMC Certificates snap-in, or a direct call to CryptQueryObject. Windows throws 0x80093109 (ASN1 bad arguments). The error text reads CRYPT_E_BADARGS. This isn't a generic "you typed something wrong" — it's the ASN.1 parser telling you the input data is structurally invalid.
A common trigger: you downloaded a .p7b from an email attachment or a web portal, and the file got truncated or corrupted during transfer. Another scenario: you exported a certificate chain from a Linux machine using OpenSSL's default PEM format, then renamed it to .p7b without converting properly.
What's actually happening
The .p7b format is a binary DER-encoded PKCS#7 blob. Windows expects pure DER bytes. What you're giving it is either:
- Corrupt DER — bytes got mangled (truncation, bit flips from a bad download)
- PEM instead of DER — the file has
-----BEGIN PKCS7-----headers and Base64 text, not raw binary - Wrong content type — the file is actually a CMS enveloped-data blob, not a signed-data blob, and the parser chokes on the outer ASN.1 tag
The ASN.1 decoder expects a specific sequence of tags (SEQUENCE, OID, SET, etc.) in the exact order defined by PKCS#7. When the bytes don't match, it returns E_BADARGS — not a helpful message, but honest about the root cause.
The fix
- Check the file size and integrity
Right-click the .p7b file, go to Properties, and note the size (in bytes). If it's less than 100 bytes or an odd number, you likely have a truncated file. Re-download it from the original source. Use a checksum (SHA-256) if provided. - Inspect the raw bytes
Open the file in a hex editor (or justcertutil -dump). The first two bytes must be30 82for a valid DER SEQUENCE with length > 127. If you see2D 2D 2D(three dashes), you have PEM headers — that's the problem. - Convert PEM to DER if needed
If it's PEM, strip the headers and Base64-decode the body:
certutil -decode input.p7b output.p7bcertutilis built into Windows. It will remove the PEM armor and produce proper DER. Then retry your operation. - If it's already DER but still fails
Run:
Look forcertutil -dump input.p7bASN1 bad tag valueorbad lengthmessages. If you see those, the file is genuinely corrupt and you need a fresh copy from the issuer. - Use a different tool to re-encode
If you generated the .p7b yourself via OpenSSL, ensure you used-outform DER. On Linux:
The default is PEM (which adds headers). Withoutopenssl pkcs7 -in cert.pem -out cert.p7b -outform DER-outform DER, you get a PEM file that Windows can't parse.
If it still fails after the fix
Check whether the file is actually a PKCS#7 signed-data blob. Some .p7b files are enveloped-data (used for encryption) rather than signed-data. You can tell by running certutil -ASN input.p7b and looking at the OID after the outer SEQUENCE. If it's 1.2.840.113549.1.7.1 (data) or 1.2.840.113549.1.7.3 (enveloped-data), you're not dealing with signed-data at all. In that case, Windows's default certificate import won't work — you'll need to use a different API or convert to a PFX/P12 with a private key.
Also verify the file extension matches the actual encoding. Some systems mislabel PEM files as .p7b. If the first line of the file reads -----BEGIN PKCS7-----, rename it to .pem or run the certutil -decode conversion from step 3.
Finally, if you're on a really old Windows version (pre-7) or using a stripped-down embedded build, the CryptoAPI stack might be missing support for modern PKCS#7 features like large attribute sets. Update to a supported Windows version — you can't fix that with a file conversion.
Was this solution helpful?