Solved

Can't install new SSL certificate: ASN1 bad tag value met

Posted on 2009-05-05
4
2,481 Views
Last Modified: 2012-05-06
Error message :CertEnroll::Cx509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b

I missed out autodiscover.my-domain.com from my new SSL certificate, but the company i bought it from allowed by to add this and sent me the updated cert.  Now, when I try to install it I get the above error, any ideas?

Installing on IIS7 on an Exchange 2007 server.
0
Comment
Question by:-Juddy-
  • 3
4 Comments
 
LVL 65

Expert Comment

by:Mestha
ID: 24309547
You need to issue a new certificate request on the server, as there is now a mismatch.

Simon.
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 24312424
So if I create a new CSR matching the new cert (with the added alternative name) I will be able to add the new cert?
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 24312611
Ok, so I created a new certificate request on the Exchnage Server matching EXACTLY what is on the updated, re-issued certificate.  When I try to 'Complete Certificate request'  I get the exact same error.
0
 
LVL 3

Accepted Solution

by:
-Juddy- earned 0 total points
ID: 24312818
FIXED!!

This worked for me:

Begin by importing the .crt file into the Personal certificate store for the local computer.  (Start button > Run:  MMC > File Menu > Add/Remove Snap-in > highlight Certificates snap-in and click the ADD button > select Computer Account and click Finish >  Click OK > drill into Personal > Certificates >  right-click and select All Tasks > select Import > guide to the .crt file.)  At this point your certificate is basically a half-certificate.  It is still missing its private key.
 
Second, double-click the crt certificate file you just imported, select the Details tab, scroll all the way down to Thumbprint and highlight Thumbprint.  In the lower pane, block and copy all the letters of the thumbprint.  Paste the thumbprint characters into notepad.  Open the command prompt and run this command: Certutil /?

The command youll want to run is:
 
certutil -repairstore my "insert all of the thumbprint characters here"

 When you see the response: CertUtil: -repairstore command completed successfully you should have a private key associated with the .crt file in the personal store. There should no longer be any need to run through the Complete Certificate Request& wizard.  The certificate should show up in the IIS Managers list of server certificates at this point.  It should also be available in the SSL Certificates drop-down list when attempting to edit the https binding for a website.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question