Author: Steven Neiland
Published:

Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.

Recently I had to deal with an issue at work where I had to install a new ssl cert on a server quickly but the person with the account details for the signing authority was unavailable. The person responsible had generated a ".cer" file but using the wrong ".csr" file from another server so when I went to install the cert I got this error.

ASN1 bad tag value met

Fortunately they had also sent me a ".crt" file for this cert so I was able to get that installed using this workaround.

Step 1: Load The Certificates SNAP-IN

Certificates

To start we first must import the ".crt" file into the Personal Certificate Store on the server. To do this:

  1. Open the start menu and type mmc into the run box to start the Microsoft Management Console.
  2. Then in the window that opens click the "File" menu and select "Add/Remove Snap-in".
  3. In the new window highlight the "Certificates" snap-in and click the ADD button.
  4. In the next window that appears select "Computer Account" then "Next" and finally "Finish".
mmc_console add_remove_snapins manage_certificates_for select_computer

Step 2: Import the ".crt" file into the Personal Certificate Store

At this stage the certificates snap-in should be loaded into the tree nav on the left. From here:

  1. Drill down the certificates tree into Personal > Certificates
  2. Right-click on certificates and select All Tasks > Import
  3. In the new window browse to the .crt file and then click next.
  4. Then select to place the certificates in the personal keystore and click next again.
  5. Finally click finish.
import cert_import_wizard cert_import_wizard_2 cert_import_wizard_3

Step 3: Run CertUtil to repair the certificate.

certificate_details

At this point the imported certificate is only a half-certificate as it is still missing its private key. To add the private key we use the CertUtil program to "repair" the certificate.

  1. Double-click the certificate file you just imported to open the certificate information window.
  2. Select the "Details" tab and scroll all the way down to the "Thumbprint" field and select it.
  3. This loads a series of numbers and letters into the lower pane. Copy these characters into notepad.
  4. Open the command prompt and run this command:
    Certutil /?" to display a list of commands and options.

The command you’ll want to run is:

certutil -repairstore my "paste in the characters from notepad here"

When you run this command you should get back this message.

CertUtil: -repairstore command completed successfully

If you have done everything correctly the certificate should now be valid for this server and be available for your websites to use in IIS.

What Do You Think?

Reader Comments

Charles Yates's Gravatar
Charles Yates
Wednesday, June 19, 2013 at 11:56:12 AM EDT

Worked like a charm. Thanks!

Post a Comment

Comment Etiquette:

  • Please keep comments on-topic.
  • Please do not post unrelated questions or large chunks of code.
  • Please do not engage in flaming/abusive behaviour.
  • Comments that contain or appear to be advertisments, will not be published.
  • Comments that appear to be created for the purpose of linkbuilding to commercial sites will be removed.

We are all adults here so play nice.

*
*



Archives Blog Listing

Tag Listing

Learn CF In A Week

Treehouse

 
Fork me on GitHub