Bio
Russell Mickler, Principal Consultant, has over 14 years of professional experience leading and managing IT organizations.
Contact Information
- Mickler & Associates
- Vancouver, WA
- Voice: 360.216.1784
- Fax: 360.397.0468
IIS7 and Renewing SSL Certificates
Written on December 2, 2009
Leave a Comment
|
You know: this used to be easy.
The time came around again to update a digital SSL certificate on one of my client’s servers. This is Windows 2008 SBS and the renewal process from IIS7 is supposed to be fairly straight-forward. You’re to open IIS7′s Administrative Console, select your server, and under the Category group, open the Server Certificates console. Once selecting the desired certificate, on the right-hand side Actions pane, you’re to select the RENEW option. The wizard starts and you have the ability to renew from a local CA (Certificate Authority) or generate the usual request file for a remote CA. All this is well and good.
However, that’s what you think. The CA request generated by IIS7 is too long and it won’t be accepted by a CA. Microsoft embedded inappropriate information in the CSR file to conduct the renewal. Thus, Verisign technical support had to tell me to create an entirely new request rather than a renewal. A hassle, but fine, I did so. After I received the certificate, though, I went to conduct the import and received the following message from IIS7:
There was an error while performing this operation.
Details:
CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b
The problem was caused by an error in IIS7 that mismatched private key tied to this public key. It may also be related to an expiration date on the old key if it still exists. There is conflicting information on the web. It sure would be nice if there were meaningful error messages generated by a commercial server operating system that’s been around for 1.5 years.
Now, in order to fix it, you have to manually import the CER response file, run a command-line utility to restore the “thumbprint” of the new encryption key, and then – finally – you can bind the SSL cert to your site. A full step-by-step can be found here (Verisign’s KB Article SO11614).
Microsoft does have a KB article 959216 on the issue and claims that it’s a problem with the code that looks for the cert’s friendly name in a PKCS#7-formatted CSR. However, I tried following the very terse instructions and got nowhere. It may be referring to another incident in managing cert’s where the same message is generated. As a side note, it may be easier if you get the response *.CER file in the x500 (?) format alternative instead of the PKCS#7 format, and maybe – just maybe – you can avoid this problem. I dunno – I haven’t tried it.
Bottom line: this is IIS7 – theoretically an improvement over IIS6 – but it took me three times the normal time to do something that was supposed to be wizard-driven and simple. This used to be easy. Now it’s just broken. Duh. Hopefully these tips may help you out if you’re stuck in the same process.
R