Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.
Recently I had to deal with an issue at work where I had to install a new ssl cert on a server quickly but the person with the account details for the signing authority was unavailable. The person responsible had generated a ".cer" file but using the wrong ".csr" file from another server so when I went to install the cert I got this error.
ASN1 bad tag value met
Fortunately they had also sent me a ".crt" file for this cert so I was able to get that installed using this workaround.
Step 1: Load The Certificates SNAP-INCertificates
To start we first must import the ".crt" file into the Personal Certificate Store on the server. To do this:
- Open the start menu and type mmc into the run box to start the Microsoft Management Console.
- Then in the window that opens click the "File" menu and select "Add/Remove Snap-in".
- In the new window highlight the "Certificates" snap-in and click the ADD button.
- In the next window that appears select "Computer Account" then "Next" and finally "Finish".
Step 2: Import the ".crt" file into the Personal Certificate Store
At this stage the certificates snap-in should be loaded into the tree nav on the left. From here:
- Drill down the certificates tree into Personal > Certificates
- Right-click on certificates and select All Tasks > Import
- In the new window browse to the .crt file and then click next.
- Then select to place the certificates in the personal keystore and click next again.
- Finally click finish.
Step 3: Run CertUtil to repair the certificate.
At this point the imported certificate is only a half-certificate as it is still missing its private key. To add the private key we use the CertUtil program to "repair" the certificate.
- Double-click the certificate file you just imported to open the certificate information window.
- Select the "Details" tab and scroll all the way down to the "Thumbprint" field and select it.
- This loads a series of numbers and letters into the lower pane. Copy these characters into notepad.
- Open the command prompt and run this command:
Certutil /?" to display a list of commands and options.
The command you’ll want to run is:
certutil -repairstore my "paste in the characters from notepad here"
When you run this command you should get back this message.
CertUtil: -repairstore command completed successfully
If you have done everything correctly the certificate should now be valid for this server and be available for your websites to use in IIS.