Tuesday, May 5, 2015

Manually replace a SSL Certificates in IIS 7

Recently I was trying to update SSL Certificated on our Windows Server on IIS7 and when trying to complete the Certificate Request I was getting a cryptic error.

CertEnroll::Cx509Enrollment::p_InstallResponse: ASN1 bad tag value met.

In short I wasn't able to find much help on this but after much fiddling I found an alternate procedure to import SSL Certificates in PKCS#7 or  X.509 formats.

Instead of trying to import the certificate directly in IIS add it to the certificate story manual by doing the following.  Then refresh and it will show up in IIS as expected.

  1. Save the certificate and make sure it is accessible on the server.
  2. On the server open up MMC.
    1. Start > Run > MMC
  3. Add Certificates Snap-in
    1. File > Add/Remove Snap-in
    2. Select Certificates > Add > My User Account > Add
    3. Select Certificates > Add > Computer Account > Next > Finish
    4. Click Ok
  4. Check in both Current User and Local Computer for old certificates to remove
    1. Look under Personal > Certificates
    2. Remove the old certificate you are trying to replace by selecting it and pressing delete.
  5. Import the new certificate by either method
    1. Double Click it in the file browser and choose Install Certificate
    2. Under Local Computer > Personal > Right Click and select All Task > Import.
  6. Move the new certificate to the proper store
    1. Expand either Current User > Personal > Certificates or Current User > Other People > Certificates to find the new certificate.
    2. Verify the expression date so ensure you have found the new certificate.
    3. Drag the certificate into the Local Computer > Personal > Certificates store.
  7. Look up the Certificate Thumbprint
    1. Now that there certificate is in the proper location Double Click on it to view the details.
    2. Click on Details > Edit Properties and set the Common Name to the proper domain name.
    3. Ok to go back and then scroll down to find the Thumbprint and copy this to your clipboard.
  8. Import the Private Key
    1. Open an elevated Command Prompt
      1. Start > Type command > Right Click > Run As Administrator
    2. Enter the following command replacing sample Thumbprint with the value you looked up above.  Make sure to keep the quotations.
    3. certutil –repairstore my “00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f”
    4. Now go back to the Certificate loaded into the Personal store and refresh and you will see a little key icon next to it.  Without this it won't be able to sign pages in IIS.
  9. Now if you go back to IIS you will see your certificate
    1. If you don't see the new certificate then it either wasn't moved the the proper location or doesn't have the private key required to function.

No comments: