Solved

ASN1 bad tag value met” error when processing a certificate request in IIS 7

Posted on 2014-04-26
24
1,154 Views
Last Modified: 2014-06-09
Have a SBS 2008 server I am trying to add a cert to and when I tried friendly name the first time it worked ,but I thought I made a mistake and tried to rename the friendly name as a do over and I get

ASN1 bad tag value met” error when processing a certificate request in IIS 7

I tried to regenerate rekey and reinstall ,but get the same error.

Anybody got a suggestion on how to delete any pending incomplete SSL certs and start over?
0
Comment
Question by:pgm554
  • 14
  • 10
24 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40025355
To delete pending requests try this :

Run - mmc.exe
File - Add/Remove Snapin - Certificates - Computer Account  - Local - Certificates

Then look at Certificate Enrollment Requests
0
 
LVL 30

Author Comment

by:pgm554
ID: 40027760
Godaddy is telling me a need generate a csr out of IIS 7 instead of the wizard and rekey that way.

Arrghhh!
0
 
LVL 29

Expert Comment

by:becraig
ID: 40027819
ok so here is how

on the computer windows key + r
inetmgr  "hit enter"

Click on the server  node and double click server certificates

Click on create Certificate request
Follow the steps from there.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 30

Author Comment

by:pgm554
ID: 40028128
I got that figured out,but if one does it by the numbers as M$ says to do in SBS (wizards only),you end up wasting time and effort.

The folks at Godaddy are just as much to blame.

Why couldn't they just say don't use the csr wizards and save me some grief.

I'm thinking of using Comodo next time around.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40028136
I think mainly due to the fact most of the business is website based, so they usually end up processing for requests generated that way.

Truth be told you could use any method once the right flags are set in the request, but that's godaddy for you.

Happy you are able to get the new cert going, in the future I guess IIS is just as easy.
0
 
LVL 30

Author Comment

by:pgm554
ID: 40038673
Still working on it,Godaddy seems to be clueless.

Now after doing it their way I am getting port 443 already in use when I try to finish up the install in IIS 7 using site binding.

Add Site Binding window:

    For Type, select https.
    For IP address, select All Unassigned, or the IP address of the site.
    For Port, type 443.
    For SSL Certificate, select the SSL certificate you just installed, and then click OK.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40038676
How many sites do you have on that server ?

Port 443 already in use means a site already has ssl bound to 443 in IIS.

Do you have one or more sites on that server ?
0
 
LVL 30

Author Comment

by:pgm554
ID: 40038690
Just the default.

When I do a remote.domain.com I get untrusted cert and it will let me login ,but I can't get it to let me rdp to the server desktop.

When I keyed it ,I set up two names remote and mail.

In the sbs manager ,the SSL is showing as self signed even though I imported it using the Godaddy method using only IIS and not the add trusted cert wizard.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40038692
Ok let's open the mmc and verify the installed certificate is the one you just got.

Inetmgr
Add remove snap- in
Local computer

Expand personal and find your new cert
Double click on it to be sure it says you have a private key that matches this certificate.
Click on the details tab and make a note of the thumbprint and the expiration date.

Then go back to your default site in IIS click on the site and click on Edit bindings on the right then change the certificate to match the new one you just got from godaddy and then run iisreset /noforce from a cmd window
0
 
LVL 30

Author Comment

by:pgm554
ID: 40038704
Having issues remoting in to server right now.
I'm using Chrome as an rdp client.
Will tackle this tomorrow when I'm on site.
0
 
LVL 30

Author Comment

by:pgm554
ID: 40043419
I tried a rekey and the wizard and still got not trusted.

Got into RWW and installed delf signed and now can RDP into server.

I've seen something about a .local no longer being allowed on new SSL's that are issued for more than a year starting next year.

Could this be an issue with SBS creating a .local by default?
0
 
LVL 29

Expert Comment

by:becraig
ID: 40047613
Ok so I think we got sidetracked somewhere :)

Yes you will have issues requesting certificates with .local since it is difficult to prove ownership.
As such Digital Certificate providers will not provide .local certificates.

The solution is one of two things:
1. A self signed cert which introduces an issue of trust where users are not members of your domain and do not trust the self-signed certificate
2. Updating your dns names to match your public ".com" so that you can use trusted certificates from verified publishers.
0
 
LVL 30

Author Comment

by:pgm554
ID: 40102088
Still working going to try another cert provider
0
 
LVL 29

Expert Comment

by:becraig
ID: 40102089
Here is a list of cost-effective providers:
http://webdesign.about.com/od/ssl/tp/cheapest-ssl-certificates.htm
0
 
LVL 30

Author Comment

by:pgm554
ID: 40115840
Going to run a powershell command to force the cert install,will post results.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40116053
How do you force a cert install ?


Cert installs are straightforward:
If you are processing a request (then certreq -accept or any exchange command to process pending request will work)
If importing a certificate processed elsewhere and exported as *.pfx then a simple import will work.
0
 
LVL 30

Author Comment

by:pgm554
ID: 40116157
Was told to do this:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\replaceme.crt -Encoding byte -ReadCount 0)) | Enable-ExchangeCertificate -Services IIS,POP,IMAP,SMTP

c:\replaceme.crt is my Godaddy issued cert.

Tried it on a clone machine and it took.
Now going to use it on a production box and test
0
 
LVL 30

Author Comment

by:pgm554
ID: 40121039
After all that ,I ended up generating a csr through exchange and when I went to import it I got a thumbprint error.
Used the powershell removal script and now it works ,but I still get untrusted when coming in though remote.

rpc over http works fine.

Do I need to import my rekeyed ssl into iis too?
0
 
LVL 29

Expert Comment

by:becraig
ID: 40121075
Is this new cert one you got from a provider ?


You can check IIS to verify, but the command you ran should have also bound the cert in IIS

I any event if it is not bound, simply bind it in IIS and  run iisreset.
0
 
LVL 30

Author Comment

by:pgm554
ID: 40123382
Just got off of the phone to M$,it appears as if the certs I was downloading from GoDaddy were missing a private key.
M$ was able to correct this and now everything seems to be working OK.

I will document what M$ did when they send me their breakdown of the issues.

Arrrrggghhhh!
0
 
LVL 29

Accepted Solution

by:
becraig earned 250 total points
ID: 40123386
Ok I guess we got sidetracked :)


we were on the path to identifying that at comment:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_28420688.html#a40038692

If we had identified the private key was missing we could have run a certutil -repairstore and closed this issue earlier.


My apologies for the lengthy time to get to a solution.
0
 
LVL 30

Author Comment

by:pgm554
ID: 40123409
No need to apologize for M$ and Godaddy making it so convoluted .
0
 
LVL 30

Author Comment

by:pgm554
ID: 40123458
From M$,the fix:
>>  Checked the certificate it did not have a private key

>>  Ran certutil command but it failed with a following error

C:\Windows\system32>certutil -repairstore my "c2170f552fd1090b9107eda9d5782d503cc22e3a"
my
================ Certificate 1 ================
Serial Number:
Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.c
om/repository/, O=GoDaddy.com, Inc., L=Scottsdale, S=Arizona, C=US
NotBefore: 6/2/2014 10:41 AM
NotAfter: 5/1/2017 2:30 PM
Subject: CN=remote.mydomain.com, OU=Domain Control Validated
Non-root Certificate
Template:
Cert Hash(sha1):
No key provider information
Cannot find the certificate and private key for decryption.
CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808)
CertUtil: Access denied.



>>  Checked and found that the certificate was missing a private key

>>  Applied for a new cert

>>  Downloaded the same on desktop

>>  Added the cert to the personal store and intermediate store

>>  As the private key was missing, ran the below mentioned command

C:\Users\pgm554\Desktop\New cert>certutil  -repairstore my
      // (thumbprint of the certificate)  
my
================ Certificate 4 ================
Serial Number:
Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O=GoDaddy.com, Inc., L=Scottsdale, S=Arizona, C=US
NotBefore: 6/9/2014 4:19 PM
NotAfter: 5/1/2017 2:30 PM
Subject: CN=remote.mydomain.com, OU=Domain Control Validated
Non-root Certificate
Template:
Cert Hash(sha1):
  Key Container =
  Simple container name:
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -repairstore command completed successfully.


>>  Added the cert by running Add trusted cert wizard




Thanks and Regards
0
 
LVL 30

Author Closing Comment

by:pgm554
ID: 40123469
Was on the right track.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Link SQL table to Webpage 9 62
accessing the windows\csc folder 5 107
IIS URL Rewrite/Redirect Rule Help 4 20
Trust relationship when doing server upgrades 3 17
Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question