Fix CRYPT_E_UNEXPECTED_MSG_TYPE 0X8009200A Certificate Error
This error means Windows can't find the private key for your certificate. The fix is to rebuild the certificate store or reinstall the cert with its key.
Yeah, this error is a pain. You're trying to authenticate to something—VPN, email signing, or maybe a web server—and Windows throws CRYPT_E_UNEXPECTED_MSG_TYPE (0X8009200A) with that lovely message: "The certificate does not have a property that references a private key." It's basically saying, "I see the cert, but the private key part is missing or corrupted." Let's fix it.
The Quick Fix: Rebuild the Certificate Store
Most of the time, the certificate store is just borked. Windows caches certs in the user's profile, and something went wrong during import—maybe a crash or a bad export. Here's what I do first:
- Open Command Prompt as Administrator (right-click, Run as admin).
- Run:
certutil -user -store My— this lists all personal certificates for the current user. Look for the one giving you trouble. Note the serial number or subject. - Now delete and re-add it:
certutil -user -delstore My "" - Then import your certificate again (the .pfx file that includes the private key). Use:
certutil -user -importpfx My "C:\path\to\your\cert.pfx"
If you don't have the .pfx file, you're stuck—you'll need a fresh export from the source with the private key included. Had a client last month whose entire print queue died because of this—their admin had exported a .cer file without the key. Total facepalm.
Why This Works
The CRYPT_E_UNEXPECTED_MSG_TYPE error happens because Windows can't match the certificate's thumbprint to any private key in the store. When you delete and re-import the cert from a proper .pfx, it rebuilds that linkage. The certificate store is just a database—if the record's corrupted, you clear it and start fresh.
Less Common Variations
Sometimes the fix isn't that straightforward. Here are three other scenarios I've seen:
1. Machine-Level vs User-Level Store
If the error pops up for a service or system-wide application (like IIS), you're likely in the wrong store. Run certlm.msc (Local Machine) instead of certmgr.msc. Import the .pfx to Personal under the machine store. Then grant the service account read access to the key using certutil -repairstore or the Certificates snap-in's Manage Private Keys option.
2. Corrupted Private Key File
Rare, but I've seen it. The .pfx file itself might be damaged. Try regenerating the certificate from the issuing CA. If you can't, use certutil -repairstore My " to force Windows to re-import the registry-backed key blob.
3. Group Policy or Script Conflicts
On domain-joined machines, sometimes a GPO pushes a cert that conflicts. Check gpresult /h report.html to see which policies apply. Then either remove the conflicting cert via certutil -delstore or update the GPO. One client had a login script that imported a temp cert every boot—caused this exact error each time until I disabled the script.
Prevention
Don't export certificates without the private key unless you absolutely know what you're doing. Always use certutil -exportPFX or the Export wizard with "Yes, export the private key" selected. Set a strong password on the .pfx. And for services, double-check you're adding the cert to the Machine store, not the User store.
Pro tip: Before importing, verify the .pfx has the key using certutil -dump yourcert.pfx | find /i "private key". If it says "No private key," you've got a bad export—go back to step one.
That's it. You should be past the error now. If not, check if the certificate is still valid (expired certs can give weird errors, but not this one specifically). Worst case, regenerate the cert from your CA. Stay practical.
Was this solution helpful?