Ask a Question

Advanced Search

Solution ID : SO11279

Last Modified : 05/02/2018

Invalid Renewal CSR Created with Microsoft IIS 7.0

Problem

Invalid CSR gets created when generating a renewal CSR in Microsoft IIS 7.0.

You may receive one of the following error messages when submitting the CSR:
  • CSR encoding error. Submit a valid CSR
  • CSR file too large
 
The server generates an invalid CSR which looks like the one below:
 
-----BEGIN NEW CERTIFICATE REQUEST-----
MIILxwYJKoZIhvcNAQcCoIILuDCCC7QCAQExCzAJBgUrDgMCGgUAMIIGlQYJKoZI
hvcNAQcBoIIGhgSCBoIwggZ+MIIF5wIBADB6MQswCQYDVQQGEwJHQjEOMAwGA1UE
CAwFRXNzZXgxFTATBgNVBAcMDExlaWdoIE9uIFNlYTEZMBcGA1UECgwQQW5jYXRv
d24gTGltaXRlZDEJMAcGA1UECwwAMR4wHAYDVQQDDBV3d3cuYnVja2FuZHJ5YW4u
Y28udWswgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN5A0DSAL6NkqkS9PRsG
q2VfBqDRxUrn3/8F5bA4KRnljdYqNY2PFk77n8YOoT0ss3bUxsjRbjF5PmD652x4
94ZXdLpckDIV8S9bjKhfPkibcNQf/gyswlKE9j46faLGUtuQuR4QQcXZZVYz5VIW
QOmVmGiR/BGHowSAmJGEXD0BAgMBAAGgggTCMBoGCisGAQQBgjcNAgMxDBYKNi4w
LjYwMDEuMjBDBgkrBgEEAYI3FRQxNjA0AgEFDAlWTVNFUlZFUjMMF1ZNU0VSVkVS
M1xBZG1pbmlzdHJhdG9yDAtJbmV0TWdyLmV4ZTBmBgorBgEEAYI3DQICMVgwVgIB
Ah5OAE0AaQBjAHIAbwBzAG8AZgB0ACAAUwB0AHIAbwBuAGcAIABDAHIAeQBwAHQA
bwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByAwEAMGsGCSqGSIb3DQEJ
DjFeMFwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQC
MAAwHQYDVR0OBBYEFOGqioe4aoap0sS+JhMJk8a7ygzjMA4GA1UdDwEB/wQEAwIH
gDCCA4gGCSsGAQQBgjcNATGCA3kwggN1MIIC3qADAgECAhBb3AyH+ZksUBdyICcM
x+NsMA0GCSqGSIb3DQEBBQUAMIHOMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2Vz
dGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAbBgNVBAoTFFRoYXd0ZSBD
b25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERp
dmlzaW9uMSEwHwYDVQQDExhUaGF3dGUgUHJlbWl1bSBTZXJ2ZXIgQ0ExKDAmBgkq
hkiG9w0BCQEWGXByZW1pdW0tc2VydmVyQHRoYXd0ZS5jb20wHhcNMDcwMzA1MTMz
MjI1WhcNMDkwMzA5MTU0NjI5WjB6MQswCQYDVQQGEwJHQjEOMAwGA1UECBMFRXNz
ZXgxFTATBgNVBAcTDExlaWdoIE9uIFNlYTEZMBcGA1UEChMQQW5jYXRvd24gTGlt
aXRlZDEJMAcGA1UECxMAMR4wHAYDVQQDExV3d3cuYnVja2FuZHJ5YW4uY28udWsw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKmJ6gzryW4VM+KRVJpZBomZVyMl
lumSI9Za2Q2mEe8BInDkN4ES6e1qJ5+yuso5lFBwbZTuqkBIvrTQSzLnIngWgdlZ
Jr5p79MH4ZEF5JlN7Z4eJZXQ803rYtF85gGXcE4ePgRSOuqde/5rL6s9PBj8S6hY
BhRQNvA1IOB3/uwPAgMBAAGjgaYwgaMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMEAGA1UdHwQ5MDcwNaAzoDGGL2h0dHA6Ly9jcmwudGhhd3RlLmNvbS9U
aGF3dGVQcmVtaXVtU2VydmVyQ0EuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEF
BQcwAYYWaHR0cDovL29jc3AudGhhd3RlLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqG
SIb3DQEBBQUAA4GBADwWUyt7Oo8y3x/mqjr50jFUXt0/9FcXNHqt4Y1/iNT6g9rk
KcAOyDy//xMDDAV4dRHvXPg2D/Iy2bJVEjUOlBbp+Lq34rxo7ZdtckS7gJgV14/1
F3Xr1LLLBuTO0DeOZRBTUHpyxeHzaEcIk9BDLLtawEnPXDsWfn5HF/MVp4IrMA0G
CSqGSIb3DQEBBQUAA4GBALeaplERxYjnIxs0jmjsoIkz+gu6OFL6MSvmndkEAKyf
R7iSgzEHG1WPFrPfvGhQDO2j/AeOoq+zlvzPFq0Zjey01G+6rwLCPz0MXZqiAwnb
DeBI6/y6P2ycw2HzIYWKXS4hr6lLFYGWa1CxEhhnJLmv4dtyHbrVE7h+JTN+IW/H
oIIDeTCCA3UwggLeoAMCAQICEFvcDIf5mSxQF3IgJwzH42wwDQYJKoZIhvcNAQEF
BQAwgc4xCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNV
BAcTCUNhcGUgVG93bjEdMBsGA1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAm
BgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMT
GFRoYXd0ZSBQcmVtaXVtIFNlcnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1
bS1zZXJ2ZXJAdGhhd3RlLmNvbTAeFw0wNzAzMDUxMzMyMjVaFw0wOTAzMDkxNTQ2
MjlaMHoxCzAJBgNVBAYTAkdCMQ4wDAYDVQQIEwVFc3NleDEVMBMGA1UEBxMMTGVp
Z2ggT24gU2VhMRkwFwYDVQQKExBBbmNhdG93biBMaW1pdGVkMQkwBwYDVQQLEwAx
HjAcBgNVBAMTFXd3dy5idWNrYW5kcnlhbi5jby51azCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAqYnqDOvJbhUz4pFUmlkGiZlXIyWW6ZIj1lrZDaYR7wEicOQ3
gRLp7Wonn7K6yjmUUHBtlO6qQEi+tNBLMucieBaB2Vkmvmnv0wfhkQXkmU3tnh4l
ldDzTeti0XzmAZdwTh4+BFI66p17/msvqz08GPxLqFgGFFA28DUg4Hf+7A8CAwEA
AaOBpjCBozAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwQAYDVR0fBDkw
NzA1oDOgMYYvaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVByZW1pdW1TZXJ2
ZXJDQS5jcmwwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2Nz
cC50aGF3dGUuY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAPBZT
K3s6jzLfH+aqOvnSMVRe3T/0Vxc0eq3hjX+I1PqD2uQpwA7IPL//EwMMBXh1Ee9c
+DYP8jLZslUSNQ6UFun4urfivGjtl21yRLuAmBXXj/UXdevUsssG5M7QN45lEFNQ
enLF4fNoRwiT0EMsu1rASc9cOxZ+fkcX8xWngisxggGKMIIBhgIBATCB4zCBzjEL
MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2Fw
ZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3Rl
IFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZl
ckB0aGF3dGUuY29tAhBb3AyH+ZksUBdyICcMx+NsMAkGBSsOAwIaBQAwDQYJKoZI
hvcNAQEBBQAEgYCWnBQ96FMpkGlabanWEISR4FjvGayJnIYhP6kit83Hk/M8hW0g
IsEQCQFQIsjzdGl/NR6sUKCdrEkrMNHpahs5j+iCu5tK896u0pIcqsazqsbC0fln
NvyZFmQvOnViQXURi5QnxXOR0AqEtmmeUwKXizfOah3vqJWrM5VMGmWQSQ==
-----END NEW CERTIFICATE REQUEST-----
 
The following image illustrates how this invalid CSR is generated:
 

Cause

The error occurs because the renewal CSR created in IIS 7.0 is too large to be accepted by the enrollment page.

This is a known Microsoft IIS 7.0 issue.  For more information, please see the following Microsoft Knowledge Base Article (KB971832):
http://support.microsoft.com/kb/971832

Solution

To resolve this issue, select the option to Create Certificate Request as opposed to Renew.  This will generate a new, shorter CSR that will be accepted by the enrollment page.