Solved

ASN1 bad tag value met” error when processing a certificate request in IIS 7

Posted on 2014-04-26
24
1,120 Views
Last Modified: 2014-06-09
Have a SBS 2008 server I am trying to add a cert to and when I tried friendly name the first time it worked ,but I thought I made a mistake and tried to rename the friendly name as a do over and I get

ASN1 bad tag value met” error when processing a certificate request in IIS 7

I tried to regenerate rekey and reinstall ,but get the same error.

Anybody got a suggestion on how to delete any pending incomplete SSL certs and start over?
0
Comment
Question by:pgm554
  • 14
  • 10
24 Comments
 
LVL 28

Expert Comment

by:becraig
ID: 40025355
To delete pending requests try this :

Run - mmc.exe
File - Add/Remove Snapin - Certificates - Computer Account  - Local - Certificates

Then look at Certificate Enrollment Requests
0
 
LVL 30

Author Comment

by:pgm554
ID: 40027760
Godaddy is telling me a need generate a csr out of IIS 7 instead of the wizard and rekey that way.

Arrghhh!
0
 
LVL 28

Expert Comment

by:becraig
ID: 40027819
ok so here is how

on the computer windows key + r
inetmgr  "hit enter"

Click on the server  node and double click server certificates

Click on create Certificate request
Follow the steps from there.
0
 
LVL 30

Author Comment

by:pgm554
ID: 40028128
I got that figured out,but if one does it by the numbers as M$ says to do in SBS (wizards only),you end up wasting time and effort.

The folks at Godaddy are just as much to blame.

Why couldn't they just say don't use the csr wizards and save me some grief.

I'm thinking of using Comodo next time around.
0
 
LVL 28

Expert Comment

by:becraig
ID: 40028136
I think mainly due to the fact most of the business is website based, so they usually end up processing for requests generated that way.

Truth be told you could use any method once the right flags are set in the request, but that's godaddy for you.

Happy you are able to get the new cert going, in the future I guess IIS is just as easy.
0
 
LVL 30

Author Comment

by:pgm554
ID: 40038673
Still working on it,Godaddy seems to be clueless.

Now after doing it their way I am getting port 443 already in use when I try to finish up the install in IIS 7 using site binding.

Add Site Binding window:

    For Type, select https.
    For IP address, select All Unassigned, or the IP address of the site.
    For Port, type 443.
    For SSL Certificate, select the SSL certificate you just installed, and then click OK.
0
 
LVL 28

Expert Comment

by:becraig
ID: 40038676
How many sites do you have on that server ?

Port 443 already in use means a site already has ssl bound to 443 in IIS.

Do you have one or more sites on that server ?
0
 
LVL 30

Author Comment

by:pgm554
ID: 40038690
Just the default.

When I do a remote.domain.com I get untrusted cert and it will let me login ,but I can't get it to let me rdp to the server desktop.

When I keyed it ,I set up two names remote and mail.

In the sbs manager ,the SSL is showing as self signed even though I imported it using the Godaddy method using only IIS and not the add trusted cert wizard.
0
 
LVL 28

Expert Comment

by:becraig
ID: 40038692
Ok let's open the mmc and verify the installed certificate is the one you just got.

Inetmgr
Add remove snap- in
Local computer

Expand personal and find your new cert
Double click on it to be sure it says you have a private key that matches this certificate.
Click on the details tab and make a note of the thumbprint and the expiration date.

Then go back to your default site in IIS click on the site and click on Edit bindings on the right then change the certificate to match the new one you just got from godaddy and then run iisreset /noforce from a cmd window
0
 
LVL 30

Author Comment

by:pgm554
ID: 40038704
Having issues remoting in to server right now.
I'm using Chrome as an rdp client.
Will tackle this tomorrow when I'm on site.
0
 
LVL 30

Author Comment

by:pgm554
ID: 40043419
I tried a rekey and the wizard and still got not trusted.

Got into RWW and installed delf signed and now can RDP into server.

I've seen something about a .local no longer being allowed on new SSL's that are issued for more than a year starting next year.

Could this be an issue with SBS creating a .local by default?
0
 
LVL 28

Expert Comment

by:becraig
ID: 40047613
Ok so I think we got sidetracked somewhere :)

Yes you will have issues requesting certificates with .local since it is difficult to prove ownership.
As such Digital Certificate providers will not provide .local certificates.

The solution is one of two things:
1. A self signed cert which introduces an issue of trust where users are not members of your domain and do not trust the self-signed certificate
2. Updating your dns names to match your public ".com" so that you can use trusted certificates from verified publishers.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 30

Author Comment

by:pgm554
ID: 40102088
Still working going to try another cert provider
0
 
LVL 28

Expert Comment

by:becraig
ID: 40102089
Here is a list of cost-effective providers:
http://webdesign.about.com/od/ssl/tp/cheapest-ssl-certificates.htm
0
 
LVL 30

Author Comment

by:pgm554
ID: 40115840
Going to run a powershell command to force the cert install,will post results.
0
 
LVL 28

Expert Comment

by:becraig
ID: 40116053
How do you force a cert install ?


Cert installs are straightforward:
If you are processing a request (then certreq -accept or any exchange command to process pending request will work)
If importing a certificate processed elsewhere and exported as *.pfx then a simple import will work.
0
 
LVL 30

Author Comment

by:pgm554
ID: 40116157
Was told to do this:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\replaceme.crt -Encoding byte -ReadCount 0)) | Enable-ExchangeCertificate -Services IIS,POP,IMAP,SMTP

c:\replaceme.crt is my Godaddy issued cert.

Tried it on a clone machine and it took.
Now going to use it on a production box and test
0
 
LVL 30

Author Comment

by:pgm554
ID: 40121039
After all that ,I ended up generating a csr through exchange and when I went to import it I got a thumbprint error.
Used the powershell removal script and now it works ,but I still get untrusted when coming in though remote.

rpc over http works fine.

Do I need to import my rekeyed ssl into iis too?
0
 
LVL 28

Expert Comment

by:becraig
ID: 40121075
Is this new cert one you got from a provider ?


You can check IIS to verify, but the command you ran should have also bound the cert in IIS

I any event if it is not bound, simply bind it in IIS and  run iisreset.
0
 
LVL 30

Author Comment

by:pgm554
ID: 40123382
Just got off of the phone to M$,it appears as if the certs I was downloading from GoDaddy were missing a private key.
M$ was able to correct this and now everything seems to be working OK.

I will document what M$ did when they send me their breakdown of the issues.

Arrrrggghhhh!
0
 
LVL 28

Accepted Solution

by:
becraig earned 250 total points
ID: 40123386
Ok I guess we got sidetracked :)


we were on the path to identifying that at comment:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_28420688.html#a40038692

If we had identified the private key was missing we could have run a certutil -repairstore and closed this issue earlier.


My apologies for the lengthy time to get to a solution.
0
 
LVL 30

Author Comment

by:pgm554
ID: 40123409
No need to apologize for M$ and Godaddy making it so convoluted .
0
 
LVL 30

Author Comment

by:pgm554
ID: 40123458
From M$,the fix:
>>  Checked the certificate it did not have a private key

>>  Ran certutil command but it failed with a following error

C:\Windows\system32>certutil -repairstore my "c2170f552fd1090b9107eda9d5782d503cc22e3a"
my
================ Certificate 1 ================
Serial Number:
Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.c
om/repository/, O=GoDaddy.com, Inc., L=Scottsdale, S=Arizona, C=US
NotBefore: 6/2/2014 10:41 AM
NotAfter: 5/1/2017 2:30 PM
Subject: CN=remote.mydomain.com, OU=Domain Control Validated
Non-root Certificate
Template:
Cert Hash(sha1):
No key provider information
Cannot find the certificate and private key for decryption.
CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808)
CertUtil: Access denied.



>>  Checked and found that the certificate was missing a private key

>>  Applied for a new cert

>>  Downloaded the same on desktop

>>  Added the cert to the personal store and intermediate store

>>  As the private key was missing, ran the below mentioned command

C:\Users\pgm554\Desktop\New cert>certutil  -repairstore my
      // (thumbprint of the certificate)  
my
================ Certificate 4 ================
Serial Number:
Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O=GoDaddy.com, Inc., L=Scottsdale, S=Arizona, C=US
NotBefore: 6/9/2014 4:19 PM
NotAfter: 5/1/2017 2:30 PM
Subject: CN=remote.mydomain.com, OU=Domain Control Validated
Non-root Certificate
Template:
Cert Hash(sha1):
  Key Container =
  Simple container name:
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -repairstore command completed successfully.


>>  Added the cert by running Add trusted cert wizard




Thanks and Regards
0
 
LVL 30

Author Closing Comment

by:pgm554
ID: 40123469
Was on the right track.
0

Featured Post

Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

Join & Write a Comment

On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now