“ASN1 bad tag value met” error when processing a certificate request in IIS 7


 


 


We’ve seen a few instances of the following error message on 64 bit servers when IIS 7.0 is attempting to process a pending certificate request:


 


Complete Certificate Request


There was an error while performing this operation.


Details:


CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN: 267)


 


 


This error seems to mean that the private key (created when the certificate request was made) does not match the public key (the .crt file).  The keypair is not successfully joined into a working SSL certificate.


 


So far this behavior seems most common with .crt files (instead of the .cer files many of us are more used to) issued by one specific Certification Authority—which will remain nameless here.


 


The error shows up after reaching the point in the process where you ‘specify certificate authority response’ and guide the wizard to the  ‘File name containing the certification authority’s response…’ (the .crt file).  


 


So far there seem to be two solutions.


 


Solution 1:


 


Verisign has a support article that matches this error message: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=S:SO8467&actp=search&searchid=1219125132143.  Their recommendation seems to be to replace the certificate with a new one.   This method has worked for at least one of my customers in this place with a GoDaddy certificate.  All they had to do was make a new certificate request (CSR text file), log into the the Godaddy web interface and re-key (we chose re-key rather than re-issue) their certificate.  The new file processed fine.


 


Solution 2:


 


Begin by importing the .crt file into the Personal certificate store for the local computer.  (Start button > Run:  MMC > File Menu > Add/Remove Snap-in > highlight Certificates snap-in and click the ADD button > select Computer Account and click Finish >  Click OK > drill into Personal > Certificates >  right-click and select All Tasks > select Import > guide to the .crt file.)  At this point your certificate is basically a half-certificate.  It is still missing its private key.


 


Second, double-click the crt certificate file you just imported, select the Details tab, scroll all the way down to Thumbprint and highlight Thumbprint.  In the lower pane, block and copy all the letters of the thumbprint.  Paste the thumbprint characters into notepad.  Open the command prompt and run this command: Certutil /?


The command you’ll want to run is:


 


certutil -repairstore my “{insert all of the thumbprint characters here}”


 


When you see the response: “CertUtil: -repairstore command completed successfully” you should have a private key associated with the .crt file in the personal store. There should no longer be any need to run through the “Complete Certificate Request…” wizard.  The certificate should show up in the IIS Manager’s list of server certificates at this point.  It should also be available in the SSL Certificates drop-down list when attempting to edit the https binding for a website.  


 


Incidentally, a common way of attempting to deal with this error is to take the .p7b file from the Certification Authority and import the CA’s certificates into the Trusted and Intermediate stores.   As far as I can tell, this approach has no useful effect upon this problem.  


 


Other relevant links:


 



https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=S:SO8467&actp=search&searchid=1219125132143


 


http://blogs.msdn.com/vijaysk/archive/2008/11/25/certenroll-cx509enrollment-p-installresponse-asn1-bad-tag-value-met-0x8009310b.aspx


 


 

Comments (50)

  1. Peter says:

    Thanks a lot. Solution 2 solved my problem!

  2. Phil says:

    When I attempt to run the certutil command on SBS2008 I get a permission error stating this command requires elevated priviledges to run.  Administrator privs are required to run this command.  Since the Administrator account is disabled/dissappears in SBS2008, I tried using the netword admin account and it gets the permissions error.  Am I missing something

  3. Drew says:

    Thank you. Solution 2 worked for me with a GoDaddy SSL cert.  

  4. Mads Nissen says:

    The second approach using certutil (under elevated privs on win2008 web edition) is getting an access denied :

    No key provider information

    Cannot find the certificate and private key for decryption.

    CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808)

    CertUtil: Access denied.

    Guess I’ll need to try option 1 then 🙁

  5. Harry Lee says:

    solution 2 did not work with Godaddy without the following modifications on server 2008 on the last step

    certutil -repairstore "My" "insert all of the thumbprint characters here"

    Basically put quotes "My" and don’t put the {} marks where the thumbprint goes.  Thanks.

  6. Matthew Kaney says:

    I believe I have found the cause of the problem.  If you are renewing an existing certificate (when I say renew I am not referring to the renew certificate function which most instructions warn against, but rather creating a certificate request from an existing certificate), when you complete the certificate request, you MUST right click on the existing certificate and select complete from the context menu.  If you attempt to right-click in an open area of the window and select complete request from that context menu, or if you delete the original certificate first and therefore can only right click in the open area of the window, you will receive this message.  

    If you have in fact deleted the original certificate, then you must follow the first procedure outlined above to rekey the certificate. Then you will be able to right click in the open area and select complete from that context menu.

  7. Steve Bishop says:

    Option 2 worked for me as well except it didn’t give it a name… just blank.  Still worked.

  8. Eric says:

    When I try this I get prompted to enter a smartcard.  When I cancel out of that (we don’t use smartcards) the certutil command fails with an ACCESS DENIED message.

    We don’t use smartcards so I’m not sure why I’m being prompted for this.

    Anybody know anything about this?

  9. Camelopardium says:

    Thanks a ton. Solution 2 rocks.

  10. Joel Carlson says:

    Same here, thanks so much for Solution #2 – you saved a lot of headache and downtime!

  11. Nick Seibert says:

    Many thanks for this solution. #2 worked perfectly for me.

    Also, even though the Name for the cert is blank in IIS, this can be remedied through the MMC.

    start -> run -> mmc -> File -> Add/Remove Snap-in -> select Certificates etc.

    Then go to Certificates -> Personal -> Certificates -> select the desired cert, right click, properties -> set a friendly name. Easy.

  12. Paul says:

    I tried option 1 first, that did not work.  Then tried option 2 which did work.  Thank you.

  13. Vlad says:

    Thanks a lot! # 2 worked great!!!!

  14. james knight says:

    awesome my friend.. thank u so much… really option 2 was the one that worked for me. also on another forum they had said that copy from current to local account but that didnt work for me as the certutil command would complain that it could not find the certificate and private key for decryption. By doing the add-in and guiding to the .cer file, cert util worked fine…

  15. Richard S says:

    Amazing!! Option 2 worked for me as well!

    Thanks again!

  16. Madrooki says:

    Thank you! Solution 2 worked a treat!

    Wasted so much time with this rubbish until I saw your blog.

  17. Charlie Messerly says:

    Thanks Option 2 did the trick!!! This solved my problem of installation of GoDaddy SSL Certificate on I1S 7.0 with response ANS1 bad tag in cert enroll.

  18. Scott says:

    I couldn’t get either option to work but I managed to export the certificate to a .PFX (with the private key) and import it to IIS7 on the same box.

    GoDaddy were no help whatsoever with their automated responses.

  19. Mirche says:

    Thanks a lot, Solution 2 solve my problem too … thanks, thanks

  20. philabob says:

    Yes, it works! Thank you very well for your technique 🙂

  21. philabob says:

    Yes, it works! Thank you very well for your technique 🙂

  22. condonate says:

    Solution #2 resolved my cert issue with VeriSign.

    GREAT SUCCESS!

  23. DAVE says:

    Hi Phil

    Right click the command prompt and run as Administrator: This will fix the elevated priviledges error. I try to run everything as Administrator so not to have this happen.

    Hope its not to late

  24. Phil says:

    Yeah, just got off of the phone with Godaddy. They say this is a "known issue" and their only advice is to try re-keying 3 or 4 times, and then if you still get the error, contacting microsoft, who claims to have a work around, which I suspect is solution 2, but I haven’t verfied.

    I did get solution 2 to work, but it only gets me half-way. I am installing the cert on a Microsoft Dynamics CRM 4.0 internet facing deployment and it works fine certificate-wise over Internet Explorer, but fails to work over the Client for Outlook during the configuration. The error I get is: The underlying connection was closed: Could not establish trust relationship SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure.

    I’m going to try re-keying a few more times to see if installing this in the supported manner also resolves the CRM 4.0 Client for Outlook cert validation error.

    Phil

  25. Ramon says:

    Right on the money! The comments were helpful in assigning a friendly name after the re-pair.

    Thanks for the fantastic support!

    ~R

  26. Bhupender says:

    its really worked !!!!!!!!!!!! thx 🙂

  27. DaveH says:

    I almost took took the advice of solution #1.  I’m glad I tried solution #2 first.  Sometimes it’s a hassle going back to the cert provider.  I would recommend switching solution #1 and #2.      

  28. Uday says:

    Thanks a lot Buddy! It helped me to solve the problem.

  29. Jay says:

    TRY OPTION #1 FIRST: I had the exact same error, IIS 7, 64-bit. Option #1 worked perfectly for me w/the GoDaddy SSL Certificate.  I simply deleted the CSR, made a new CSR, re-keyed at GoDaddy, and re-installed the certificate (using GoDaddy’s instructions).  Had it fixed in 5 minutes. THANK YOU! THANK YOU! THANK YOU!

  30. Sumit says:

    Thanks a Lot Sir. It helped me.

  31. Dylan says:

    Fantastic, solution two is a beautiful fix. The "certificate authority we dare not name" always causes this problem for me. I have many certs to install/renew so this was a lifesaver. Thanks!

  32. Jeff M says:

    Solution 2. worked for me using SBS2008 and renewing a goDaddy certificate.  Many, many thanks for such a helpful blog post!!!

  33. Ken E says:

    Solution #2 is giving me the following error when trying to run CertUtil:

    CertUtil: -repairstore command FAILED 0x80090010

    CertUtil: Access denied.

    This is in WS2008 and IIS7, I am running command prompt with administrator privileges and I can't figure out why this isn't working.

    Anyone else resolve this access denied issue with certutil?

  34. Manish says:

    Lovely…Saved. Option 2 worked like charm…

  35. ashish says:

    I get the access denied message too.. Any idea what needs to be done?

  36. Steve S says:

    Solution #2 worked perfectly for me.  In my case, I believe the cause of it may have been that the cert was issued with an empty "Organizational unit" – GoDaddy deleted this in order to be able to complete the extended verification process.

  37. TRS says:

    How should the godaddy cert appear in bindings for the site is solution 2 went through without error.  For instance I do not see anything in the binding information column.  Want to make sure this worked.

  38. Brian C. says:

    Thank you very much.  This solved the problem.  Well written documentation and easy to follow.  Thanks again.

  39. Damir Grubisa - Group 4 Networks says:

    This worked for us….

    Solution :

    Begin by importing the .crt file into the Personal certificate store for the local computer.  (Start button > Run:  MMC > File Menu > Add/Remove Snap-in > highlight Certificates snap-in and click the ADD button > select Computer Account and click Finish >  Click OK > drill into Personal > Certificates >  right-click and select All Tasks > select Import > guide to the .crt file.)  At this point your certificate is basically a half-certificate.  It is still missing its private key.

    Second, double-click the crt certificate file you just imported, select the Details tab, scroll all the way down to Thumbprint and highlight Thumbprint.  In the lower pane, block and copy all the letters of the thumbprint.  Paste the thumbprint characters into notepad.  Open the command prompt and run this command: Certutil /?

    The command you’ll want to run is:

    certutil -repairstore my "{insert all of the thumbprint characters here}"

    When you see the response: “CertUtil: -repairstore command completed successfully” you should have a private key associated with the .crt file in the personal store. There should no longer be any need to run through the “Complete Certificate Request…” wizard.  The certificate should show up in the IIS Manager’s list of server certificates at this point.  It should also be available in the SSL Certificates drop-down list when attempting to edit the https binding for a website.  

    Damir Grubisa

    http://www.g4ns.com

  40. Mike K says:

    Solution 2 worked great.  You are a wonderful person for sharing.

  41. Dan says:

    Solution 2 worked with a Geo Trust cert that also required an intermediate certificate.

  42. Dunne says:

    Solution 2 worked for me with an Addtrust/Comodo certificate. Thanks a lot!

  43. ZeeBee says:

    Solution 2 worked for GlobeSSL certificate

  44. Olivier says:

    Solution 2 OK for me (Godaddy – starfield techno) but no "friendly name" anymore (?)

  45. Richard says:

    +1 on solution #2. (GoDaddy renew certificate on IIS7 win2008)

  46. john says:

    Solution 2:  worked for me as well, Thanks 🙂

  47. Mike J says:

    Great Blog on using the certutil command set.  Thanks for your help, you saved us quite a bit of time.

  48. Jim says:

    Thanks, another +1 on solutions #2. Worked for Symantec cert.

  49. Robert says:

    Six years later and it is still helping people. Search for three hours for an answer, glad i found yours. Thanks