Link to home
Start Free TrialLog in
Avatar of pgm554
pgm554Flag for United States of America

asked on

ASN1 bad tag value met” error when processing a certificate request in IIS 7

Have a SBS 2008 server I am trying to add a cert to and when I tried friendly name the first time it worked ,but I thought I made a mistake and tried to rename the friendly name as a do over and I get

ASN1 bad tag value met” error when processing a certificate request in IIS 7

I tried to regenerate rekey and reinstall ,but get the same error.

Anybody got a suggestion on how to delete any pending incomplete SSL certs and start over?
Avatar of becraig
becraig
Flag of United States of America image

To delete pending requests try this :

Run - mmc.exe
File - Add/Remove Snapin - Certificates - Computer Account  - Local - Certificates

Then look at Certificate Enrollment Requests
Avatar of pgm554

ASKER

Godaddy is telling me a need generate a csr out of IIS 7 instead of the wizard and rekey that way.

Arrghhh!
ok so here is how

on the computer windows key + r
inetmgr  "hit enter"

Click on the server  node and double click server certificates

Click on create Certificate request
Follow the steps from there.
Avatar of pgm554

ASKER

I got that figured out,but if one does it by the numbers as M$ says to do in SBS (wizards only),you end up wasting time and effort.

The folks at Godaddy are just as much to blame.

Why couldn't they just say don't use the csr wizards and save me some grief.

I'm thinking of using Comodo next time around.
I think mainly due to the fact most of the business is website based, so they usually end up processing for requests generated that way.

Truth be told you could use any method once the right flags are set in the request, but that's godaddy for you.

Happy you are able to get the new cert going, in the future I guess IIS is just as easy.
Avatar of pgm554

ASKER

Still working on it,Godaddy seems to be clueless.

Now after doing it their way I am getting port 443 already in use when I try to finish up the install in IIS 7 using site binding.

Add Site Binding window:

    For Type, select https.
    For IP address, select All Unassigned, or the IP address of the site.
    For Port, type 443.
    For SSL Certificate, select the SSL certificate you just installed, and then click OK.
How many sites do you have on that server ?

Port 443 already in use means a site already has ssl bound to 443 in IIS.

Do you have one or more sites on that server ?
Avatar of pgm554

ASKER

Just the default.

When I do a remote.domain.com I get untrusted cert and it will let me login ,but I can't get it to let me rdp to the server desktop.

When I keyed it ,I set up two names remote and mail.

In the sbs manager ,the SSL is showing as self signed even though I imported it using the Godaddy method using only IIS and not the add trusted cert wizard.
Ok let's open the mmc and verify the installed certificate is the one you just got.

Inetmgr
Add remove snap- in
Local computer

Expand personal and find your new cert
Double click on it to be sure it says you have a private key that matches this certificate.
Click on the details tab and make a note of the thumbprint and the expiration date.

Then go back to your default site in IIS click on the site and click on Edit bindings on the right then change the certificate to match the new one you just got from godaddy and then run iisreset /noforce from a cmd window
Avatar of pgm554

ASKER

Having issues remoting in to server right now.
I'm using Chrome as an rdp client.
Will tackle this tomorrow when I'm on site.
Avatar of pgm554

ASKER

I tried a rekey and the wizard and still got not trusted.

Got into RWW and installed delf signed and now can RDP into server.

I've seen something about a .local no longer being allowed on new SSL's that are issued for more than a year starting next year.

Could this be an issue with SBS creating a .local by default?
Ok so I think we got sidetracked somewhere :)

Yes you will have issues requesting certificates with .local since it is difficult to prove ownership.
As such Digital Certificate providers will not provide .local certificates.

The solution is one of two things:
1. A self signed cert which introduces an issue of trust where users are not members of your domain and do not trust the self-signed certificate
2. Updating your dns names to match your public ".com" so that you can use trusted certificates from verified publishers.
Avatar of pgm554

ASKER

Still working going to try another cert provider
Avatar of pgm554

ASKER

Going to run a powershell command to force the cert install,will post results.
How do you force a cert install ?


Cert installs are straightforward:
If you are processing a request (then certreq -accept or any exchange command to process pending request will work)
If importing a certificate processed elsewhere and exported as *.pfx then a simple import will work.
Avatar of pgm554

ASKER

Was told to do this:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\replaceme.crt -Encoding byte -ReadCount 0)) | Enable-ExchangeCertificate -Services IIS,POP,IMAP,SMTP

c:\replaceme.crt is my Godaddy issued cert.

Tried it on a clone machine and it took.
Now going to use it on a production box and test
Avatar of pgm554

ASKER

After all that ,I ended up generating a csr through exchange and when I went to import it I got a thumbprint error.
Used the powershell removal script and now it works ,but I still get untrusted when coming in though remote.

rpc over http works fine.

Do I need to import my rekeyed ssl into iis too?
Is this new cert one you got from a provider ?


You can check IIS to verify, but the command you ran should have also bound the cert in IIS

I any event if it is not bound, simply bind it in IIS and  run iisreset.
Avatar of pgm554

ASKER

Just got off of the phone to M$,it appears as if the certs I was downloading from GoDaddy were missing a private key.
M$ was able to correct this and now everything seems to be working OK.

I will document what M$ did when they send me their breakdown of the issues.

Arrrrggghhhh!
ASKER CERTIFIED SOLUTION
Avatar of becraig
becraig
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of pgm554

ASKER

No need to apologize for M$ and Godaddy making it so convoluted .
Avatar of pgm554

ASKER

From M$,the fix:
>>  Checked the certificate it did not have a private key

>>  Ran certutil command but it failed with a following error

C:\Windows\system32>certutil -repairstore my "c2170f552fd1090b9107eda9d5782d503cc22e3a"
my
================ Certificate 1 ================
Serial Number:
Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.c
om/repository/, O=GoDaddy.com, Inc., L=Scottsdale, S=Arizona, C=US
NotBefore: 6/2/2014 10:41 AM
NotAfter: 5/1/2017 2:30 PM
Subject: CN=remote.mydomain.com, OU=Domain Control Validated
Non-root Certificate
Template:
Cert Hash(sha1):
No key provider information
Cannot find the certificate and private key for decryption.
CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808)
CertUtil: Access denied.



>>  Checked and found that the certificate was missing a private key

>>  Applied for a new cert

>>  Downloaded the same on desktop

>>  Added the cert to the personal store and intermediate store

>>  As the private key was missing, ran the below mentioned command

C:\Users\pgm554\Desktop\New cert>certutil  -repairstore my
      // (thumbprint of the certificate)  
my
================ Certificate 4 ================
Serial Number:
Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O=GoDaddy.com, Inc., L=Scottsdale, S=Arizona, C=US
NotBefore: 6/9/2014 4:19 PM
NotAfter: 5/1/2017 2:30 PM
Subject: CN=remote.mydomain.com, OU=Domain Control Validated
Non-root Certificate
Template:
Cert Hash(sha1):
  Key Container =
  Simple container name:
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -repairstore command completed successfully.


>>  Added the cert by running Add trusted cert wizard




Thanks and Regards
Avatar of pgm554

ASKER

Was on the right track.