Dealing with CertEnrol ASN1 bad tag error during IIS7 SSL certificate installation
Crispin – 21 November 2016
No warranty, express or implied, is provided with this solution. It-worked-for-me applies.
Recently I had to renew a GoDaddy SAN SSL/TLS certificate for our CazMiranda website and ran into a problem.
To explain a bit further SAN stands for Subject Alternate Name and this allows me to protect additional host names (eg dev.cazmiranda.co.uk) on the certificate as well as www.cazmiranda.co.uk.
Transport Layer Security (TLS) is, in essence, the newer version of Secure Sockets Layer (SSL), though frequently both are referred to as SSL. For more info on this topic, take a look at the Wikipedia article.
I had been through the process of renewing the certificate with GoDaddy and eventually clicked on this link:
There was a pause and then this error popped up: CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. Gibberish by all accounts and a good reason to castigate the software developer for not creating a remedy options message rather than an error message – but let’s not go there for the moment.
Another place not to go is GoDaddy’s technical support; utterly useless and I won’t be spending over £100 with them next year because I hope to be on to Let’s Encrypt by then.
This is a multipart solution, but only some parts may apply to your circumstances. Remember that I’m dealing with a GoDaddy certificate, so the files types you receive may be slightly different if you use another provider.
Install the certificates manually
I'm assuming some IT competence in the following text.
- Open an MMC with the Certificates add-in.
- Go to the Intermediate Certificate Authorities folder
- Right-click and select All Tasks > Import.
- Find the intermediate certificate in your file system – I had to change the file filter to *.* to see it.
- Confirm that you are looking at an intermediate certificate – the word intermediate is often in the file name.
- Import the intermediate certificate.
- If successful, go to the Personal folder
- Right-click on it and once again go to All tasks > Import.
- Import the leaf certificate – ie the other one.
- If successful, move on to recovering the private key
Recovering the private key
I found a page from Entrust to help me with this and I’ve summarised it below. In this summary I’ve assumed some knowledge of dealing with Microsoft Server systems, so I've skipped a few things. For the complete detail, look at the page.
- Double-click on the crt or cer file (whichever your certificate provider has sent you) to show the certificate information.
- Go to the details tab of the dialogue box.
- Copy the hexadecimal serial number to Notepad or similar text editor
- Remove the spaces between the numbers
- Open a command prompt and run
certutil –repairstore my <your hex serial number goes here>
- This gave me a notice that the process has succeeded, so I then went to IIS manager and refreshed the page, but I still had a problem
Adding in the ‘friendly name’
I was missing the friendly name shown below. This is important if you have a SAN certificate and it’s not possible to change it within IIS7 as far as I know.
- The awfully nice people at Digicert have a utility for changing the friendly name that you can download. The page explains how to use it.
- The important thing is to create a name with a * followed by your domain name. Nota Bene: there is no dot between the star and the domain name.
Re-binding the certificate
- During the process of sorting out this problem, I had pointed the website at a maintenance page and removed the SSL/TLS bindings. You may need to re-instate them on the relevant website if you have done this.
- Once everything is up and running, check the certificate on the website has the expected expiry date.
- I use the SAN certificate on my development computer and this entails exporting the leaf certificate.
- Go to the Personal folder and then Certificates.
- Export the appropriate certificate to a pfx type file. I included the private key and didn’t delete the existing one.
- Apply a password and save to the file system.
- On the other computer import the pfx file using the Server Certificates panel in IIS manager ie you’ve clicked on the server name at the top to navigate to it.
- If you are renewing a certificate, you may end up with two certificates with the same friendly name and Issued To parameter, so delete the one due that will expire earliest.
- You will now need to rebind the certificate on the website itself.
This solution worked for me, but I won’t be going back to GoDaddy next year so it may cease to be a problem. If I’ve got to do the IT bit anyway, I might as well go to Let’s Encrypt because it’s free, automated and open. I will be keeping an eye on Rick Strahl’s blog posts to give me pointers with that and I gather there is a community web job for Azure website now as well, though I haven’t looked at it yet.
2017 © Caz Limited