ASN1 Bad Tag Error Installing an SSL Certificate in IIS 7

You've installed SSL certificates on previous versions of IIS more times than you care to remember. It's no rocket science - you create a certificate request, request the certificate from a Certification Authority, get the certificate and complete your certificate request.

Then there's IIS 7. Modularized. Optimized. Secure. You follow the same procedure as you did with previous versions of IIS. Create a certificate request, check. Get the certificate from a CA, check. Install the certificate, and that's where the familiarity ends. Instead of installing the certificate, IIS 7 throws up a cryptic error: There was an error while performing this operation. Details: CertEnroll::CX509Encrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN: 267).


Figure 1: IIS 7's cryptic error when trying to install an SSL certificate

If you fire up the Certificates console (start a new MMC console | add Certificates snap-in | select the computer account), you'll see the certificate is indeed installed.

By default, IIS does not create a binding for HTTPS.


Figure 2: IIS 7's default site bindings

Add a binding for HTTPS

1. In the Site Bindings window, click Add
   
2. In the Add Site Binding window, select https from the Type: drop-down.
   
3. Select an IP address (or optionally, leave All Unassigned selected if you want the site to bind to the specified SSL port on all IP addresses
   
4. From the SSL certificate: drop-down, select the certificate you want to use for the binding/web site.
   
   [Optional] You can click the View button to view the certificate and ensure you're selecting the right one.
   
   Figure 3: Creating a binding for https in IIS 7
   
5. Click OK to close the Add Site Binding window.

Close the Site Bindings, start a browser, and test the web site using https.