Tech Quintal

How to Fix “ASN Bad tag value met” or “Cannot find certificate request associated with this certificate file” error on the IIS7

ASN Bad tag value met or Cannot find certificate request associated with this certificate file

IIS servers are very common these days. If you ever got “Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created” or “ASN1 bad tag value met” error on the IIS7 while trying to import SSL certificates, this article is for you.

As the error itself tells, the first one is happened because of trying to import a CSR you have used for the certificate activation generated on a different computer or server and the second was happened due to the mismatch between the private and public keys in CSR. If you are 100% sure that the CSR was generated on the same server, you can do this.

Simply close the window and return to the certificate list. Press F5 to refresh the list of certificates. If you see the certificate appears on the list, everything is ok, and you can continue the process. If not, most likely, you forgot to give a Friendly Name to the certificate. You could also try recreating the certificate and reissuing it. Then try again with the process.

How to Fix “ASN Bad tag value” or “Cannot find certificate request associated with this certificate file” error on the IIS7

ASN Bad tag value met
Cannot find certificate request associated with this certificate file

If this simple fix doesn’t fix the problem, it is the time to try something advanced. Have a look.

Try opening the certificate in .p7b format

You could try converting your regular certificate file to the PKCS#7 format which should be used during the installation process. The .p7b file could be downloaded directly from your certificate registrar or can use some SSL format converters like this.

Using Microsoft Management Console

Begin by importing the .crt file into the Personal certificate store for the local computer.

  1. Open Run by pressing Win+R keys together.
  2. Type MMC in the box and press enter.
  3. Confirm the action by clicking Yes.
  4. It will open the Microsoft Management Console.
  5. Go to the File Menu and click on Add/Remove Snap-in option.
  6. It will open a window. Highlight Certificates snap-in and click the ADD button.
  7. Select Computer Account radio option and then click Next and Finish.
  8. Click OK.
  9. Click on the certificates option at the left side.
  10. Navigate to Personal Certificates.
  11. Right-click on the right side and select All Tasks > Import.
  12. Browse the .crt file. Now, the certificate has imported, but it is still missing its private key.
  13. Double-click the .crt certificate file you just imported.
  14. Go to the Details tab.
  15. Scroll all the way down to Thumbprint and highlight Thumbprint.
  16. In the lower pane, block and copy all the letters of the thumbprint.
  17. Open the notepad and paste the thumbprint characters.  Open the command prompt and run the Certutil /? command. It is: 
    certutil -repairstore my “{insert the thumbprint characters here}”
  18. Now, you will get “CertUtil: -repairstore command completed successfully” response. Which means, you have a private key associated with the .crt file in the personal store.

You don’t have to run through “Complete Certificate Request…” wizard again. Check your IIS Manager’s list of server certificates, you will see it there. The certificate will also be available in the SSL Certificates drop-down list when attempting to edit the https binding for your website.

Be sure to add the “Friendly Name”

Missing the friendly name during the certificate installation on IIS could cause the “Cannot find certificate request associated with this certificate file” or “ASN Bad tag value met” error. So, restart the process and make sure that you entered a friendly name in the correct box.

Make sure that the CSR was generated on the same server

If you are not sure that the CSR was generated on the same server and any one of the above-given methods are not working for you, you could either try the process from the origin server or can regenerate a new CSR from the current server. If so, the whole certificate issuance process should be done from scratch. It is very rare to occur the issue due to the difference in servers.

Restart the whole process

If anything doesn’t help you to fix “ASN Bad tag value met” or “Cannot find certificate request associated with this certificate file error on the IIS7 you could also try restarting the whole process again. Start by generating a CSR and reissue your certificate. In most of the cases, this solves the problem.

Contact Microsoft

As a last resort, you could directly contact Microsoft and ask for a solution. There are several forums available where thousands of experts are ready to help you. Just visit their forums and explain your problem in detail. You will surely get an answer ASAP.

We hope, you got a solution to fix the “Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created” or “ASN1 bad tag value met” error.

Exploring the Use of IIS Crypto to Resolve Issues

When working with IIS7, it’s crucial to remember that the toolset you use can greatly influence your experience and the solutions available to you. IIS Crypto is an invaluable tool for addressing certificate errors like “ASN Bad tag value met” or “Cannot find the certificate request associated with this certificate file” during troubleshooting.

What is IIS Crypto?

IIS Crypto provides administrators with a free solution to manage protocols, ciphers, hashes, and key exchange algorithms on Windows Server editions including 2008, 2012, 2016, and 2019. This versatile tool allows users to rearrange the SSL/TLS cipher suites provided by IIS, effortlessly implement recommended practices with a simple click, generate personalized templates, and conduct website testing.

Here is a video explaining the working of IIS Crypto –

How Can IIS Crypto Help?

The IIS Crypto tool can potentially help resolve certificate errors. If the problem arises due to a conflict between the protocol or cipher suite used by the IIS server and the SSL certificate, IIS Crypto can help you identify and manage these protocols and suites. This will allow you to streamline the SSL implementation process and possibly prevent these errors.

Using IIS Crypto to Troubleshoot

To use IIS Crypto, follow these steps:

  1. Download the IIS Crypto tool from the official website.
  2. Install and open the tool. You will see a list of available protocols, cipher suites, hashes, and key exchange algorithms.
  3. The checkboxes represent what is currently active on your server. You can select or deselect these as needed.
  4. After making changes, click “Apply” and then restart your server for the changes to take effect.

Remember, it’s important to only disable protocols or cipher suites if you understand the impact they will have on your server’s functionality and security. When in doubt, consult with a cybersecurity professional.

This extra tool in your arsenal can prove to be valuable. While it may not resolve all issues related to SSL certificate errors, it’s a starting point for deeper troubleshooting. If you’re still encountering problems, contacting Microsoft support, as mentioned earlier, can provide additional assistance.

Next Article