Solved

ASN1 bad tag value met” error when processing a certificate request in IIS 7

Posted on 2014-04-26
24
1,204 Views
Last Modified: 2014-06-09
Have a SBS 2008 server I am trying to add a cert to and when I tried friendly name the first time it worked ,but I thought I made a mistake and tried to rename the friendly name as a do over and I get

ASN1 bad tag value met” error when processing a certificate request in IIS 7

I tried to regenerate rekey and reinstall ,but get the same error.

Anybody got a suggestion on how to delete any pending incomplete SSL certs and start over?
0
Comment
Question by:pgm554
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 10
24 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40025355
To delete pending requests try this :

Run - mmc.exe
File - Add/Remove Snapin - Certificates - Computer Account  - Local - Certificates

Then look at Certificate Enrollment Requests
0
 
LVL 30

Author Comment

by:pgm554
ID: 40027760
Godaddy is telling me a need generate a csr out of IIS 7 instead of the wizard and rekey that way.

Arrghhh!
0
 
LVL 29

Expert Comment

by:becraig
ID: 40027819
ok so here is how

on the computer windows key + r
inetmgr  "hit enter"

Click on the server  node and double click server certificates

Click on create Certificate request
Follow the steps from there.
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 30

Author Comment

by:pgm554
ID: 40028128
I got that figured out,but if one does it by the numbers as M$ says to do in SBS (wizards only),you end up wasting time and effort.

The folks at Godaddy are just as much to blame.

Why couldn't they just say don't use the csr wizards and save me some grief.

I'm thinking of using Comodo next time around.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40028136
I think mainly due to the fact most of the business is website based, so they usually end up processing for requests generated that way.

Truth be told you could use any method once the right flags are set in the request, but that's godaddy for you.

Happy you are able to get the new cert going, in the future I guess IIS is just as easy.
0
 
LVL 30

Author Comment

by:pgm554
ID: 40038673
Still working on it,Godaddy seems to be clueless.

Now after doing it their way I am getting port 443 already in use when I try to finish up the install in IIS 7 using site binding.

Add Site Binding window:

    For Type, select https.
    For IP address, select All Unassigned, or the IP address of the site.
    For Port, type 443.
    For SSL Certificate, select the SSL certificate you just installed, and then click OK.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40038676
How many sites do you have on that server ?

Port 443 already in use means a site already has ssl bound to 443 in IIS.

Do you have one or more sites on that server ?
0
 
LVL 30

Author Comment

by:pgm554
ID: 40038690
Just the default.

When I do a remote.domain.com I get untrusted cert and it will let me login ,but I can't get it to let me rdp to the server desktop.

When I keyed it ,I set up two names remote and mail.

In the sbs manager ,the SSL is showing as self signed even though I imported it using the Godaddy method using only IIS and not the add trusted cert wizard.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40038692
Ok let's open the mmc and verify the installed certificate is the one you just got.

Inetmgr
Add remove snap- in
Local computer

Expand personal and find your new cert
Double click on it to be sure it says you have a private key that matches this certificate.
Click on the details tab and make a note of the thumbprint and the expiration date.

Then go back to your default site in IIS click on the site and click on Edit bindings on the right then change the certificate to match the new one you just got from godaddy and then run iisreset /noforce from a cmd window
0
 
LVL 30

Author Comment

by:pgm554
ID: 40038704
Having issues remoting in to server right now.
I'm using Chrome as an rdp client.
Will tackle this tomorrow when I'm on site.
0
 
LVL 30

Author Comment

by:pgm554
ID: 40043419
I tried a rekey and the wizard and still got not trusted.

Got into RWW and installed delf signed and now can RDP into server.

I've seen something about a .local no longer being allowed on new SSL's that are issued for more than a year starting next year.

Could this be an issue with SBS creating a .local by default?
0
 
LVL 29

Expert Comment

by:becraig
ID: 40047613
Ok so I think we got sidetracked somewhere :)

Yes you will have issues requesting certificates with .local since it is difficult to prove ownership.
As such Digital Certificate providers will not provide .local certificates.

The solution is one of two things:
1. A self signed cert which introduces an issue of trust where users are not members of your domain and do not trust the self-signed certificate
2. Updating your dns names to match your public ".com" so that you can use trusted certificates from verified publishers.
0
 
LVL 30

Author Comment

by:pgm554
ID: 40102088
Still working going to try another cert provider
0
 
LVL 29

Expert Comment

by:becraig
ID: 40102089
Here is a list of cost-effective providers:
http://webdesign.about.com/od/ssl/tp/cheapest-ssl-certificates.htm
0
 
LVL 30

Author Comment

by:pgm554
ID: 40115840
Going to run a powershell command to force the cert install,will post results.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40116053
How do you force a cert install ?


Cert installs are straightforward:
If you are processing a request (then certreq -accept or any exchange command to process pending request will work)
If importing a certificate processed elsewhere and exported as *.pfx then a simple import will work.
0
 
LVL 30

Author Comment

by:pgm554
ID: 40116157
Was told to do this:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\replaceme.crt -Encoding byte -ReadCount 0)) | Enable-ExchangeCertificate -Services IIS,POP,IMAP,SMTP

c:\replaceme.crt is my Godaddy issued cert.

Tried it on a clone machine and it took.
Now going to use it on a production box and test
0
 
LVL 30

Author Comment

by:pgm554
ID: 40121039
After all that ,I ended up generating a csr through exchange and when I went to import it I got a thumbprint error.
Used the powershell removal script and now it works ,but I still get untrusted when coming in though remote.

rpc over http works fine.

Do I need to import my rekeyed ssl into iis too?
0
 
LVL 29

Expert Comment

by:becraig
ID: 40121075
Is this new cert one you got from a provider ?


You can check IIS to verify, but the command you ran should have also bound the cert in IIS

I any event if it is not bound, simply bind it in IIS and  run iisreset.
0
 
LVL 30

Author Comment

by:pgm554
ID: 40123382
Just got off of the phone to M$,it appears as if the certs I was downloading from GoDaddy were missing a private key.
M$ was able to correct this and now everything seems to be working OK.

I will document what M$ did when they send me their breakdown of the issues.

Arrrrggghhhh!
0
 
LVL 29

Accepted Solution

by:
becraig earned 250 total points
ID: 40123386
Ok I guess we got sidetracked :)


we were on the path to identifying that at comment:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_28420688.html#a40038692

If we had identified the private key was missing we could have run a certutil -repairstore and closed this issue earlier.


My apologies for the lengthy time to get to a solution.
0
 
LVL 30

Author Comment

by:pgm554
ID: 40123409
No need to apologize for M$ and Godaddy making it so convoluted .
0
 
LVL 30

Author Comment

by:pgm554
ID: 40123458
From M$,the fix:
>>  Checked the certificate it did not have a private key

>>  Ran certutil command but it failed with a following error

C:\Windows\system32>certutil -repairstore my "c2170f552fd1090b9107eda9d5782d503cc22e3a"
my
================ Certificate 1 ================
Serial Number:
Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.c
om/repository/, O=GoDaddy.com, Inc., L=Scottsdale, S=Arizona, C=US
NotBefore: 6/2/2014 10:41 AM
NotAfter: 5/1/2017 2:30 PM
Subject: CN=remote.mydomain.com, OU=Domain Control Validated
Non-root Certificate
Template:
Cert Hash(sha1):
No key provider information
Cannot find the certificate and private key for decryption.
CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808)
CertUtil: Access denied.



>>  Checked and found that the certificate was missing a private key

>>  Applied for a new cert

>>  Downloaded the same on desktop

>>  Added the cert to the personal store and intermediate store

>>  As the private key was missing, ran the below mentioned command

C:\Users\pgm554\Desktop\New cert>certutil  -repairstore my
      // (thumbprint of the certificate)  
my
================ Certificate 4 ================
Serial Number:
Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O=GoDaddy.com, Inc., L=Scottsdale, S=Arizona, C=US
NotBefore: 6/9/2014 4:19 PM
NotAfter: 5/1/2017 2:30 PM
Subject: CN=remote.mydomain.com, OU=Domain Control Validated
Non-root Certificate
Template:
Cert Hash(sha1):
  Key Container =
  Simple container name:
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -repairstore command completed successfully.


>>  Added the cert by running Add trusted cert wizard




Thanks and Regards
0
 
LVL 30

Author Closing Comment

by:pgm554
ID: 40123469
Was on the right track.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question