Solved

Can't install new SSL certificate: ASN1 bad tag value met

Posted on 2009-05-05
4
2,476 Views
Last Modified: 2012-05-06
Error message :CertEnroll::Cx509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b

I missed out autodiscover.my-domain.com from my new SSL certificate, but the company i bought it from allowed by to add this and sent me the updated cert.  Now, when I try to install it I get the above error, any ideas?

Installing on IIS7 on an Exchange 2007 server.
0
Comment
Question by:-Juddy-
  • 3
4 Comments
 
LVL 65

Expert Comment

by:Mestha
ID: 24309547
You need to issue a new certificate request on the server, as there is now a mismatch.

Simon.
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 24312424
So if I create a new CSR matching the new cert (with the added alternative name) I will be able to add the new cert?
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 24312611
Ok, so I created a new certificate request on the Exchnage Server matching EXACTLY what is on the updated, re-issued certificate.  When I try to 'Complete Certificate request'  I get the exact same error.
0
 
LVL 3

Accepted Solution

by:
-Juddy- earned 0 total points
ID: 24312818
FIXED!!

This worked for me:

Begin by importing the .crt file into the Personal certificate store for the local computer.  (Start button > Run:  MMC > File Menu > Add/Remove Snap-in > highlight Certificates snap-in and click the ADD button > select Computer Account and click Finish >  Click OK > drill into Personal > Certificates >  right-click and select All Tasks > select Import > guide to the .crt file.)  At this point your certificate is basically a half-certificate.  It is still missing its private key.
 
Second, double-click the crt certificate file you just imported, select the Details tab, scroll all the way down to Thumbprint and highlight Thumbprint.  In the lower pane, block and copy all the letters of the thumbprint.  Paste the thumbprint characters into notepad.  Open the command prompt and run this command: Certutil /?

The command youll want to run is:
 
certutil -repairstore my "insert all of the thumbprint characters here"

 When you see the response: CertUtil: -repairstore command completed successfully you should have a private key associated with the .crt file in the personal store. There should no longer be any need to run through the Complete Certificate Request& wizard.  The certificate should show up in the IIS Managers list of server certificates at this point.  It should also be available in the SSL Certificates drop-down list when attempting to edit the https binding for a website.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now