CertEnroll::Cx509Enrollment::p_InstallResponse: ASN1 bad tag value met.
In short I wasn't able to find much help on this but after much fiddling I found an alternate procedure to import SSL Certificates in PKCS#7 or X.509 formats.
Instead of trying to import the certificate directly in IIS add it to the certificate story manual by doing the following. Then refresh and it will show up in IIS as expected.
- Save the certificate and make sure it is accessible on the server.
- On the server open up MMC.
Start > Run > MMC
- Add Certificates Snap-in
File > Add/Remove Snap-in
Certificates > Add > My User Account > Add
Certificates > Add > Computer Account > Next > Finish
- Check in both
Local Computerfor old certificates to remove
- Look under
Personal > Certificates
- Remove the old certificate you are trying to replace by selecting it and pressing
- Import the new certificate by either method
- Double Click it in the file browser and choose
Local Computer > Personal >Right Click and select
All Task > Import.
- Move the new certificate to the proper store
- Expand either
Current User > Personal > Certificatesor
Current User > Other People > Certificatesto find the new certificate.
- Verify the expression date so ensure you have found the new certificate.
- Drag the certificate into the
Local Computer > Personal > Certificatesstore.
- Look up the Certificate Thumbprint
- Now that there certificate is in the proper location Double Click on it to view the details.
- Click on
Details > Edit Propertiesand set the
Common Nameto the proper domain name.
Okto go back and then scroll down to find the
Thumbprintand copy this to your clipboard.
- Import the Private Key
- Open an elevated Command Prompt
Start > Type command > Right Click > Run As Administrator
- Enter the following command replacing sample Thumbprint with the value you looked up above. Make sure to keep the quotations.
certutil –repairstore my “00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f”
- Now go back to the Certificate loaded into the Personal store and refresh and you will see a little key icon next to it. Without this it won't be able to sign pages in IIS.
- Now if you go back to IIS you will see your certificate
- If you don't see the new certificate then it either wasn't moved the the proper location or doesn't have the private key required to function.