“ASN1 bad tag value met” error when installing a ssl cert in IIS 7

Author: Steven Neiland

Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.

Recently I had to deal with an issue at work where I had to install a new ssl cert on a server quickly but the person with the account details for the signing authority was unavailable. The person responsible had generated a ".cer" file but using the wrong ".csr" file from another server so when I went to install the cert I got this error.

ASN1 bad tag value met

Fortunately they had also sent me a ".crt" file for this cert so I was able to get that installed using this workaround.

Step 1: Load The Certificates SNAP-IN


To start we first must import the ".crt" file into the Personal Certificate Store on the server. To do this:

  1. Open the start menu and type mmc into the run box to start the Microsoft Management Console.
  2. Then in the window that opens click the "File" menu and select "Add/Remove Snap-in".
  3. In the new window highlight the "Certificates" snap-in and click the ADD button.
  4. In the next window that appears select "Computer Account" then "Next" and finally "Finish".

Step 2: Import the ".crt" file into the Personal Certificate Store

At this stage the certificates snap-in should be loaded into the tree nav on the left. From here:

  1. Drill down the certificates tree into Personal > Certificates
  2. Right-click on certificates and select All Tasks > Import
  3. In the new window browse to the .crt file and then click next.
  4. Then select to place the certificates in the personal keystore and click next again.
  5. Finally click finish.

Step 3: Run CertUtil to repair the certificate.

At this point the imported certificate is only a half-certificate as it is still missing its private key. To add the private key we use the CertUtil program to "repair" the certificate.

  1. Double-click the certificate file you just imported to open the certificate information window.
  2. Select the "Details" tab and scroll all the way down to the "Thumbprint" field and select it.
  3. This loads a series of numbers and letters into the lower pane. Copy these characters into notepad.
  4. Open the command prompt and run this command:
    Certutil /?" to display a list of commands and options.

The command you’ll want to run is:

certutil -repairstore my "paste in the characters from notepad here"

When you run this command you should get back this message.

CertUtil: -repairstore command completed successfully

If you have done everything correctly the certificate should now be valid for this server and be available for your websites to use in IIS.

Reader Comments

Charles Yates's Gravatar
Charles Yates
Wednesday, June 19, 2013 at 11:56:12 AM Coordinated Universal Time

Worked like a charm. Thanks!

  • Please keep comments on-topic.
  • Please do not post unrelated questions or large chunks of code.
  • Please do not engage in flaming/abusive behaviour.
  • Comments that contain advertisments or appear to be created for the purpose of link building, will not be published.

Archives Blog Listing