blog exchange howto server windows

SBS: complete certificate request error

So you created a certificate request on the SBS wizard and now want to complete the request by running the wizard again and importing the CRT certificate file you received, but you get an error.

The imported certificate does not match your web site

If you look in the detailed logfile named TrustedCert.log located at “C:\program files\Windows Small Business Server\Logs” you may find an error reffering to ASN1bad tag.

An exception of type ‘Type: System.Runtime.InteropServices.COMException, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089’ has occurred.
Timestamp: 07/10/2019 11:04:25
Message: CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN: 267)
Stack: at Microsoft.WindowsServerSolutions.CERTENROLLLib.Interop.CX509EnrollmentClass.InstallResponse(InstallResponseRestrictionFlags Restrictions, String strResponse, EncodingType Encoding, String strPassword)
at Microsoft.WindowsServerSolutions.CoreNetworking.CertificateProvider.InstallCertResponse(Byte[] certificateBytes)

Luckily you can manually import the certificate and restore the necessary private key from the request using the instructions below.

  1. Open an Microsoft Management Concole (mmc) as admin.
  2. Add the snap-in “certificates” and select computer account.
  3. Now go to Personal – Certificates, right click & select all tasks – import.
  4. Import the CRT file you received from the provider.
  5. Refresh the certificates list. The certificate is now present but without private key.
  6. Double-click the certificate, go to the details tab and copy the serial number. Should be something like: 1e 71 cb 7a ….
  7. Open an CMD with administrator rights and run the following the command: certutil -repairstore my “<serialnumber>”
    Where <serialnumber> is the value from step 6, i.e. 1e 71 cb 7a ….
  8. Refresh the certificate list in the MMC snap-in, the certificate should now show the key icon because the private key is present.
  9. I suggest you make an export with private key and extended properties to store for safekeeping for later use.
  10. I tried the import certificate wizard in the SBS console again, selected the CRT file, it still failed, but now the certificate was configured and the OWA was working again with the new certificate.


blog howto server windows

EXCHANGE 2007: Certifcate with mutiple DNS names

New-ExchangeCertificate -GenerateRequest -Path c:\install\mail_cert_request.csr -SubjectName "c=BE, o=******, ou=IT, cn=mail.*****.com" -DomainName: mail.******.com, autodiscover.*****.com, MAILSRV2, MAILSRV.*****.**, mail.****.**-KeySize 1024 -PrivateKeyExportable: $true
certreq.exe -submit -attrib "CertificateTemplate:WebServer" c:\install\MAIL_cert_request.csr

Choose the right CA, choose output folder. Open inside Issued certificates in Cert. MMC. Go to details. Click Copy to -> Complete chain, save as p7b file.

Import-ExchangeCertificate -Path C:\install\mail2.*****.com.p7b
Enable-ExchangeCertificate -Thumbprint 5B485A86***********60A04 -services IIS, POP, IMAP, SMTP
Remove-ExchangeCertificate -Thumbprint oldcertificatesthumbprint