Jasinski Technical Wiki

Navigation

Home Page
Index
All Pages

Quick Search
»
Advanced Search »

Contributor Links

Create a new Page
Administration
File Management
Login/Logout
Your Profile

Other Wiki Sections

Software

PoweredBy

Page History: Completing an SSL Certificate Request

Compare Page Revisions



« Older Revision - Back to Page History - Newer Revision »


Page Revision: Tue, Jan 26, 2016, 3:50 PM


Overview

This article documents how to complete a CSR (Certificate Signing Request) for an SSL certificate

Completing the Request

Via Certificate Management

For a SAN certificate, this method is preferred over IIS, as it seems to have fewer issues.

  1. Navigate to server where CSR was generated
  2. Open the Certificate Console. See this article for details how.
  3. Import the certificate into the Personal Certificate Store.
  4. If necessary, edit the certificate's Friendly Name.
  5. In IIS, change the bindings of websites to use the new certificate.
  6. If you need to install the certificate on another server or a load balancer, export the certificate INCLUDING the private key. Be sure to retain the password for later.

Via IIS

  1. Navigate to server where CSR was generated
  2. Navigate to IIS > Server
  3. Double-click Server Certificates
  4. In the right pane, click link: "Complete Certificate Request"
  5. Specify the P7B file
  6. For the "Friendly Name" field specify the main domain name in all lower case

Onto an Amazon Load Balancer

Reference: https://uglyduckblog.wordpress.com/2012/10/21/using-openssl-to-extract-private-key-pem-file-from-pfx-personal-information-exchange/

  1. If you haven't done so already, export the certificate from the web server, and include the private key.
  2. Use Open SSL (available at OpenSSL.org) to export the private key and the public certificate
  3. Extract private key from a PFX file and write it to PEM file
    "C:\OpenSSL-Win64\bin\openssl.exe" pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem
  4. Extract the certificate file from the PFX file
    "C:\OpenSSL-Win64\bin\openssl.exe" pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem
  5. Remove the password from the private key file.
    "C:\OpenSSL-Win64\bin\openssl.exe" rsa -in privateKey.pem -out private.pem
  6. In the AWS Console, navigate to the load balancer of interest (under EC2) and select the "Listeners" tab
  7. In the "SSL Certificate" column, click the "Change" link
  8. Select the option for "Upload a new certificate"
  9. Specify a name that includes the current date
  10. For the "Private Key" field, paste the entire contents of the "private.pem" file
  11. For the "Public Key Certificate" field, paste the entire contents of the "publicCert.pem" file.
  12. For the "Certificate Chain" field, paste the entire contents of the intermediate certificate (pem-encoded) file. You can get this from the certificate issuer's email or their site. NOTE: Although this field is labeled "Optional", you will likely have issues in some browsers or on some devices if you leave it blank.
  13. Check the SSL certificate installation by using this tool: https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp

Troubleshooting

Resolving an ASN1 Bad Tag Error

Reference: http://blogs.msdn.com/b/webtopics/archive/2009/01/03/asn1-bad-tag-value-met-error-when-processing-a-certificate-request-in-iis-7.aspx

ASN1 Bad Tag Error Message

ASN1 Bad Tag Error Message


If during the above procedure you get the error message "There was an error while performing this action. CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN: 267)", execute the following procedure to resolve it.

  1. Open the Certificate Console. See this article for details how.
  2. Import the certificate into the Personal Certificate Store. At this point the certificate is missing the private key.
  3. Double-click the P7B file and get the thumbprint of the certificate.
  4. Issue the following command on the server: certutil -repairstore my "thumbprint"
  5. When you see the response: "CertUtil: -repairstore command completed successfully" you should have a private key associated. NOTE: You may have to refresh the Microsoft Management Console window to see the private key on the certificate.
  6. The certificate should now be available for bindings within IIS

Binding Multiple Websites to a SAN Certificate

Reference: https://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html

  1. Bind the SSL certificate to the site for the main domain
  2. In a Command Window, navigate to C:\Windows\System32\Inetsrv\ and issue the following command for each Subject Alternative Name on the certificate, where IISSiteName is the name of the site as listed in the IIS Console, and hostHeaderValue is the domain name to bind to.

appcmd set site /site.name:"IISSiteName" /+bindings.[protocol='https',bindingInformation='*:443:hostHeaderValue']

Undocumented IIS Hack for SSL Binding

Reference: https://techontip.wordpress.com/2011/06/06/how-to-configureimport-san-certificate-in-iis-7-x/

If the above procedure doesn't work, there's an undocumented IIS hack that may work.

  1. Open the Certificate Console. See this article for details how.
  2. Navigate to Console Root > Certificates (Local Computer) > Personal > Certificates
  3. Right-click the certificate and select Properties
  4. In the Properties dialog for the certificate, add an asterisk at the beginning of the Friendly Name field. Now when you select the certificate you will able type the host header in the IIS Manager itself (i.e., the Host Name field will be enabled).

Certificate Properties Dialog

Certificate Properties Dialog

ScrewTurn Wiki version 3.0.1.400. Some of the icons created by FamFamFam. Except where noted, all contents Copyright © 1999-2024, Patrick Jasinski.