certificate error

I have an sbs 2008 server, and I am trying to add a certificate I got from a trusted provider. When I attempt to add the certificate I get an error (see screenshot). Inintially when I got the certificate, I went thru the sbs management console, and clicked add a trusted certificate and chose the one for my domain, and it took it fine. Apparently I needed to add other types of certificate as well, (they all came in a zip file from the vendor). The vendor tech rep walked me thru some steps to add the certificates via MMC, and all went well. So I accessed my site externally, and still got the "this site does not have a trusted certificate" error. He said I might need to reboot the server for the certificates to take effect. Then he figured we might need to add the certificate thru IIS, which brought me to the current situation I am now in with the error. When the error first happened, the tech thought it might be because the server is looking for .cer files, and theirs come as .crt. So, he had me change the extension to .cer hoping the error would go away, it did not. HELP!!!
cert-error.jpg
xzay1967Asked:
Who is Participating?
 
yourbtsConnect With a Mentor Commented:
This exact issue seems to have been blogged about at Vijayshinva Karnure's site:

http://blogs.msdn.com/vijaysk/archive/2008/11/25/certenroll-cx509enrollment-p-installresponse-asn1-bad-tag-value-met-0x8009310b.aspx

I hope this helps!
0
 
xzay1967Author Commented:
I did that but I still get the not trusted certificate error from an external web browser. I went ahead and generated a new request to the provider (notsol).
0
 
yourbtsConnect With a Mentor Commented:
I tried to offer you a quick fix with the above link.

Your method should work as well as it's what Verisign recommends (and should work with other providers as well):

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=S:SO8467&actp=search&searchid=1219125132143
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
ParanormasticConnect With a Mentor Cryptographic EngineerCommented:
Check Certificates MMC and see if the cert is in there somewhere, if it is then click-drag to the Personal store if it is not there already.  If not showing up, then install the certificate here to the Personal store and do above.

Double click the cert to view its properties - on the default tab look near the bottom to see if it has a little key icon and message saying you have the private key - if you do then you should be ok otherwise reissue the cert (vendor should do for free within first 2-4 weeks normally).  Assuming that you do not have the private key associated, you can do the following to try to recover it.

Details tab - find the thumbprint field or the serial number field and copy that (need to ctl+c since r-click doesn't work here).

Open up a command box and run this:
certutil -repairstore my %"paste thumbprint here"%

Go back to IIS and try installing the cert file now.
0
 
xzay1967Author Commented:
When I open MMC, the current user option is not there, only local computer. The certificates are in the personal>certificates folder under local computer. In the screenshot, the circled cert is the one I want to use. I used the certutil and did the repairstore option, and it ran successfully, then I want back to IIS, to try and do a complete request taslk, and got the same error again. I ignored the bad tag error, and went back to IIS> bindings, and added HTTPS to the bindings, that worked fine. I think this issue occurred due to two reasons:
1. Netsol certs have a crt extension, and SBS 2008 looks for .cer
2. I used the SBS console manager to add the trusted certificate instead of using IIS initially. Am I wrong in my deduction?
cert.jpg
0
 
DTAHARLEVConnect With a Mentor Commented:
are all the names spelled exactly the same? (friendly name etc)
0
 
xzay1967Author Commented:
yes the names are spelled correctly. I went ahead and had the certificate revalidated, and it was re-issued to me. Basically I went ahead and did a new csr from the server. What is the bast way to apply the new certificate? When certificates come from Netsol, the send a zip file that consist of some different types of certificates (see screen shot). I know sbs 2008 is different than traditional server OS. When certs are added using the add a trusted certificate wizard (sbs management console), what exactly does it do? Does it apply the cert to the sites in IIS as well? How do I add all these certs to my sbs 2008 server. Thanks for all you guys help. Also, do I need to delete or remove the other certs I got from them before applying these new ones? How do I do that?
my-certs.jpg
0
All Courses

From novice to tech pro — start learning today.