Thursday, 4 February 2010

CA-Cert SSL Certificate Renewal Process - IIS7

When you logon to CACert to renew the server certificate - it will renew the certificate and will expire in 6 months time. If you try to renew the existing certificate with this one on IIS7 it fails with the following error:
 
CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x08009310b (ASN: 267)
 
You can then use the IIS7 wizard to generate a renewal CSR to submit to the CA. However CACert does not support this type of CSR.
 
Your only option is to first generate a new CSR for the existing domain from IIS7 then submit it to CACert. This will return a valid certificate that can be imported into IIS using the Complete CSR wizard. You will will now have two seemingly identical certificates. The old one can be removed - you will have to update the bindings for the affected websites to use the new certificate. You will also have two identical certificates in CACert - the older one can be revoked.