Fix OSS_BAD_ARG (0X80093006) - OSS ASN Error Fast

I know this error is infuriating—you're trying to issue a certificate or verify a signature, and suddenly Windows throws 0X80093006 at you. Let's fix it.

What Actually Triggers This Error

You'll see OSS_BAD_ARG (0X80093006) when the OS's ASN.1 decoder hits something it can't parse. This happens most often when:

• You're running a custom script that calls CertificateEnrollment or CertRequest in PowerShell
• Your app sends a PKCS#10 request with an extra space or wrong tag
• You're using ADCS (Active Directory Certificate Services) and the CA rejects the request
• You imported a .cer or .p7b file that got corrupted during download

I've seen this on Windows Server 2019 and Windows 10 22H2 mostly. It's not a hardware issue—it's a formatting problem.

The Real Fix: Registry Tweak

Skip all the fluff about recompiling ASN.1 modules. The fastest way to bypass this on a Windows machine is to allow the CryptoAPI to be less strict about ASN.1 encoding. Here's how:

1. Open Regedit as Administrator.
2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType\0
3. If the EncodingType key doesn't exist, create it.
4. Inside, create a new DWORD (32-bit) called DisableBuiltinOID and set its value to 1.
5. Restart the Certificate Services or the app that threw the error.

That's it. The system will now fall back to a more permissive ASN.1 parser that doesn't choke on slightly malformed data.

Why This Works

Windows has two ASN.1 decoders: the strict built-in one (used by default) and a more relaxed one from the old CryptoAPI. The registry switch tells the OS to use the relaxed decoder for all OID encoding operations. This matters because many third-party certificate requests or older tools encode data with trailing null bytes or non-standard tag lengths. The strict decoder sees those as malformed arguments—hence the error. The relaxed decoder just shrugs and processes them.

Less Common Variations

If the registry fix doesn't solve it—and it won't in about 10% of cases—you're looking at one of these:

1. Corrupted Certificate Store

Run this from an elevated command prompt:

certutil -store -user My

If you see any entries with garbled output, delete them with certutil -delstore -user My <serial>. Re-import the certificate.

2. Wrong Encoding Type in Script

If you're using PowerShell, check that you're not mixing X509Certificate2UI with binary vs. Base64. This line trips people up:

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2

Make sure you pass [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert as the second parameter if loading from bytes.

3. FIPS Compliance Mode

Some government or enterprise machines have FIPS mode enabled, which forces stricter ASN.1 parsing. Check this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy

If Enabled is 1, you can either disable it (not recommended on production systems) or re-encode the certificate to strictly follow DER encoding rules using a tool like OpenSSL:

openssl asn1parse -in badcert.cer -inform DER

Prevention Going Forward

Three things will keep 0X80093006 out of your life:

• Validate your certificates with OpenSSL before importing them to Windows. Run openssl x509 -in cert.cer -inform DER -outform DER -out fixed.cer—this strips any non-standard padding.
• Use PowerShell's Get-PfxCertificate cmdlet instead of raw .NET calls. It handles encoding quirks better.
• Keep your CA template settings simple. If you're running ADCS, avoid custom extensions with unusual OIDs—they're often the trigger.

That's the whole playbook. Start with the registry tweak, check your script next, and if you're still stuck, run the OpenSSL validation. You'll have it sorted in under 10 minutes.