Can't install new SSL certificate: ASN1 bad tag value met

Error message :CertEnroll::Cx509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b

I missed out autodiscover.my-domain.com from my new SSL certificate, but the company i bought it from allowed by to add this and sent me the updated cert.  Now, when I try to install it I get the above error, any ideas?

Installing on IIS7 on an Exchange 2007 server.
LVL 3
-Juddy-Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
-Juddy-Connect With a Mentor Author Commented:
FIXED!!

This worked for me:

Begin by importing the .crt file into the Personal certificate store for the local computer.  (Start button > Run:  MMC > File Menu > Add/Remove Snap-in > highlight Certificates snap-in and click the ADD button > select Computer Account and click Finish >  Click OK > drill into Personal > Certificates >  right-click and select All Tasks > select Import > guide to the .crt file.)  At this point your certificate is basically a half-certificate.  It is still missing its private key.
 
Second, double-click the crt certificate file you just imported, select the Details tab, scroll all the way down to Thumbprint and highlight Thumbprint.  In the lower pane, block and copy all the letters of the thumbprint.  Paste the thumbprint characters into notepad.  Open the command prompt and run this command: Certutil /?

The command youll want to run is:
 
certutil -repairstore my "insert all of the thumbprint characters here"

 When you see the response: CertUtil: -repairstore command completed successfully you should have a private key associated with the .crt file in the personal store. There should no longer be any need to run through the Complete Certificate Request& wizard.  The certificate should show up in the IIS Managers list of server certificates at this point.  It should also be available in the SSL Certificates drop-down list when attempting to edit the https binding for a website.
0
 
MesthaCommented:
You need to issue a new certificate request on the server, as there is now a mismatch.

Simon.
0
 
-Juddy-Author Commented:
So if I create a new CSR matching the new cert (with the added alternative name) I will be able to add the new cert?
0
 
-Juddy-Author Commented:
Ok, so I created a new certificate request on the Exchnage Server matching EXACTLY what is on the updated, re-issued certificate.  When I try to 'Complete Certificate request'  I get the exact same error.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.