“ASN1 bad tag value met” error when processing a certificate request in IIS 7

  • Article

 

 

We’ve seen a few instances of the following error message on 64 bit servers when IIS 7.0 is attempting to process a pending certificate request:

Complete Certificate Request

There was an error while performing this operation.

Details:

CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN: 267)

This error seems to mean that the private key (created when the certificate request was made) does not match the public key (the .crt file). The keypair is not successfully joined into a working SSL certificate.

So far this behavior seems most common with .crt files (instead of the .cer files many of us are more used to) issued by one specific Certification Authority—which will remain nameless here.

The error shows up after reaching the point in the process where you 'specify certificate authority response' and guide the wizard to the 'File name containing the certification authority's response...' (the .crt file).

So far there seem to be two solutions.

Solution 1:

Verisign has a support article that matches this error message: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=S:SO8467&actp=search&searchid=1219125132143. Their recommendation seems to be to replace the certificate with a new one. This method has worked for at least one of my customers in this place with a GoDaddy certificate. All they had to do was make a new certificate request (CSR text file), log into the the Godaddy web interface and re-key (we chose re-key rather than re-issue) their certificate. The new file processed fine.

Solution 2:

Begin by importing the .crt file into the Personal certificate store for the local computer. (Start button > Run: MMC > File Menu > Add/Remove Snap-in > highlight Certificates snap-in and click the ADD button > select Computer Account and click Finish > Click OK > drill into Personal > Certificates > right-click and select All Tasks > select Import > guide to the .crt file.) At this point your certificate is basically a half-certificate. It is still missing its private key.

Second, double-click the crt certificate file you just imported, select the Details tab, scroll all the way down to Thumbprint and highlight Thumbprint. In the lower pane, block and copy all the letters of the thumbprint. Paste the thumbprint characters into notepad. Open the command prompt and run this command: Certutil /?

The command you’ll want to run is:

 

certutil -repairstore my "{insert all of the thumbprint characters here}"

When you see the response: “CertUtil: -repairstore command completed successfully” you should have a private key associated with the .crt file in the personal store. There should no longer be any need to run through the “Complete Certificate Request…” wizard. The certificate should show up in the IIS Manager’s list of server certificates at this point. It should also be available in the SSL Certificates drop-down list when attempting to edit the https binding for a website.

Incidentally, a common way of attempting to deal with this error is to take the .p7b file from the Certification Authority and import the CA's certificates into the Trusted and Intermediate stores. As far as I can tell, this approach has no useful effect upon this problem.

Other relevant links:

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=S:SO8467&actp=search&searchid=1219125132143

https://blogs.msdn.com/vijaysk/archive/2008/11/25/certenroll-cx509enrollment-p-installresponse-asn1-bad-tag-value-met-0x8009310b.aspx

Comments

  • Anonymous
    January 18, 2009
    Thanks a lot. Solution 2 solved my problem!

  • Anonymous
    February 02, 2009
    When I attempt to run the certutil command on SBS2008 I get a permission error stating this command requires elevated priviledges to run.  Administrator privs are required to run this command.  Since the Administrator account is disabled/dissappears in SBS2008, I tried using the netword admin account and it gets the permissions error.  Am I missing something

  • Anonymous
    April 01, 2009
    Thank you. Solution 2 worked for me with a GoDaddy SSL cert.  

  • Anonymous
    June 07, 2009
    The second approach using certutil (under elevated privs on win2008 web edition) is getting an access denied : No key provider information Cannot find the certificate and private key for decryption. CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808) CertUtil: Access denied. Guess I'll need to try option 1 then :(

  • Anonymous
    June 29, 2009
    solution 2 did not work with Godaddy without the following modifications on server 2008 on the last step certutil -repairstore "My" "insert all of the thumbprint characters here" Basically put quotes "My" and don't put the {} marks where the thumbprint goes.  Thanks.

  • Anonymous
    July 12, 2009
    I believe I have found the cause of the problem.  If you are renewing an existing certificate (when I say renew I am not referring to the renew certificate function which most instructions warn against, but rather creating a certificate request from an existing certificate), when you complete the certificate request, you MUST right click on the existing certificate and select complete from the context menu.  If you attempt to right-click in an open area of the window and select complete request from that context menu, or if you delete the original certificate first and therefore can only right click in the open area of the window, you will receive this message.   If you have in fact deleted the original certificate, then you must follow the first procedure outlined above to rekey the certificate. Then you will be able to right click in the open area and select complete from that context menu.

  • Anonymous
    July 13, 2009
    Option 2 worked for me as well except it didn't give it a name... just blank.  Still worked.

  • Anonymous
    August 17, 2009
    When I try this I get prompted to enter a smartcard.  When I cancel out of that (we don't use smartcards) the certutil command fails with an ACCESS DENIED message. We don't use smartcards so I'm not sure why I'm being prompted for this. Anybody know anything about this?

  • Anonymous
    September 21, 2009
    Thanks a ton. Solution 2 rocks.

  • Anonymous
    September 26, 2009
    Same here, thanks so much for Solution #2 - you saved a lot of headache and downtime!

  • Anonymous
    September 29, 2009
    Many thanks for this solution. #2 worked perfectly for me. Also, even though the Name for the cert is blank in IIS, this can be remedied through the MMC. start -> run -> mmc -> File -> Add/Remove Snap-in -> select Certificates etc. Then go to Certificates -> Personal -> Certificates -> select the desired cert, right click, properties -> set a friendly name. Easy.

  • Anonymous
    October 22, 2009
    I tried option 1 first, that did not work.  Then tried option 2 which did work.  Thank you.

  • Anonymous
    November 23, 2009
    Thanks a lot! # 2 worked great!!!!

  • Anonymous
    November 24, 2009
    awesome my friend.. thank u so much... really option 2 was the one that worked for me. also on another forum they had said that copy from current to local account but that didnt work for me as the certutil command would complain that it could not find the certificate and private key for decryption. By doing the add-in and guiding to the .cer file, cert util worked fine...

  • Anonymous
    November 27, 2009
    Amazing!! Option 2 worked for me as well! Thanks again!

  • Anonymous
    December 01, 2009
    Thank you! Solution 2 worked a treat! Wasted so much time with this rubbish until I saw your blog.

  • Anonymous
    December 11, 2009
    Thanks Option 2 did the trick!!! This solved my problem of installation of GoDaddy SSL Certificate on I1S 7.0 with response ANS1 bad tag in cert enroll.

  • Anonymous
    December 14, 2009
    The comment has been removed

  • Anonymous
    December 23, 2009
    Thanks a lot, Solution 2 solve my problem too ... thanks, thanks

  • Anonymous
    January 10, 2010
    Yes, it works! Thank you very well for your technique :-)

  • Anonymous
    January 10, 2010
    Yes, it works! Thank you very well for your technique :-)

  • Anonymous
    January 15, 2010
    Solution #2 resolved my cert issue with VeriSign. GREAT SUCCESS!

  • Anonymous
    January 19, 2010
    Hi Phil Right click the command prompt and run as Administrator: This will fix the elevated priviledges error. I try to run everything as Administrator so not to have this happen. Hope its not to late

  • Anonymous
    January 20, 2010
    The comment has been removed

  • Anonymous
    February 03, 2010
    Right on the money! The comments were helpful in assigning a friendly name after the re-pair. Thanks for the fantastic support! ~R

  • Anonymous
    February 10, 2010
    its really worked !!!!!!!!!!!! thx :)

  • Anonymous
    February 16, 2010
    I almost took took the advice of solution #1.  I'm glad I tried solution #2 first.  Sometimes it's a hassle going back to the cert provider.  I would recommend switching solution #1 and #2.      

  • Anonymous
    March 14, 2010
    Thanks a lot Buddy! It helped me to solve the problem.

  • Anonymous
    April 08, 2010
    TRY OPTION #1 FIRST: I had the exact same error, IIS 7, 64-bit. Option #1 worked perfectly for me w/the GoDaddy SSL Certificate.  I simply deleted the CSR, made a new CSR, re-keyed at GoDaddy, and re-installed the certificate (using GoDaddy's instructions).  Had it fixed in 5 minutes. THANK YOU! THANK YOU! THANK YOU!

  • Anonymous
    April 30, 2010
    Thanks a Lot Sir. It helped me.

  • Anonymous
    May 04, 2010
    Fantastic, solution two is a beautiful fix. The "certificate authority we dare not name" always causes this problem for me. I have many certs to install/renew so this was a lifesaver. Thanks!

  • Anonymous
    June 02, 2010
    Solution 2. worked for me using SBS2008 and renewing a goDaddy certificate.  Many, many thanks for such a helpful blog post!!!

  • Anonymous
    September 08, 2010
    Solution #2 is giving me the following error when trying to run CertUtil: CertUtil: -repairstore command FAILED 0x80090010 CertUtil: Access denied. This is in WS2008 and IIS7, I am running command prompt with administrator privileges and I can't figure out why this isn't working. Anyone else resolve this access denied issue with certutil?

  • Anonymous
    September 21, 2010
    Lovely...Saved. Option 2 worked like charm...

  • Anonymous
    October 14, 2010
    I get the access denied message too.. Any idea what needs to be done?

  • Anonymous
    October 29, 2010
    Solution #2 worked perfectly for me.  In my case, I believe the cause of it may have been that the cert was issued with an empty "Organizational unit" - GoDaddy deleted this in order to be able to complete the extended verification process.

  • Anonymous
    November 24, 2010
    knowledge.verisign.com/.../index

  • Anonymous
    December 08, 2010
    How should the godaddy cert appear in bindings for the site is solution 2 went through without error.  For instance I do not see anything in the binding information column.  Want to make sure this worked.

  • Anonymous
    March 29, 2011
    Thank you very much.  This solved the problem.  Well written documentation and easy to follow.  Thanks again.

  • Anonymous
    April 12, 2011
    This worked for us.... Solution : Begin by importing the .crt file into the Personal certificate store for the local computer.  (Start button > Run:  MMC > File Menu > Add/Remove Snap-in > highlight Certificates snap-in and click the ADD button > select Computer Account and click Finish >  Click OK > drill into Personal > Certificates >  right-click and select All Tasks > select Import > guide to the .crt file.)  At this point your certificate is basically a half-certificate.  It is still missing its private key. Second, double-click the crt certificate file you just imported, select the Details tab, scroll all the way down to Thumbprint and highlight Thumbprint.  In the lower pane, block and copy all the letters of the thumbprint.  Paste the thumbprint characters into notepad.  Open the command prompt and run this command: Certutil /? The command you’ll want to run is: certutil -repairstore my "{insert all of the thumbprint characters here}" When you see the response: “CertUtil: -repairstore command completed successfully” you should have a private key associated with the .crt file in the personal store. There should no longer be any need to run through the “Complete Certificate Request…” wizard.  The certificate should show up in the IIS Manager’s list of server certificates at this point.  It should also be available in the SSL Certificates drop-down list when attempting to edit the https binding for a website.   Damir Grubisa www.g4ns.com

  • Anonymous
    April 26, 2011
    Solution 2 worked great.  You are a wonderful person for sharing.

  • Anonymous
    August 30, 2011
    Solution 2 worked with a Geo Trust cert that also required an intermediate certificate.

  • Anonymous
    September 06, 2011
    Solution 2 worked for me with an Addtrust/Comodo certificate. Thanks a lot!

  • Anonymous
    April 22, 2012
    Solution 2 worked for GlobeSSL certificate

  • Anonymous
    July 15, 2012
    Solution 2 OK for me (Godaddy - starfield techno) but no "friendly name" anymore (?)

  • Anonymous
    November 21, 2012
    +1 on solution #2. (GoDaddy renew certificate on IIS7 win2008)

  • Anonymous
    June 10, 2014
    Solution 2:  worked for me as well, Thanks :)

  • Anonymous
    June 13, 2014
    Great Blog on using the certutil command set.  Thanks for your help, you saved us quite a bit of time.

  • Anonymous
    September 17, 2014
    Thanks, another +1 on solutions #2. Worked for Symantec cert.

  • Anonymous
    January 06, 2015
    Six years later and it is still helping people. Search for three hours for an answer, glad i found yours. Thanks