First renewal with csr from IIS 10

Hello everyone,

We created a certificate on a linux box and exported it to an IIS 10 Webserver run on Win2k19.

Now I would like to renew that certificate by passing the CSR file created on IIS, but I get the laconic message “failed to parse the csr file”.

How can I find out more about the problem?

I ran this command: certbot -d --manual --preferred-challenges dns certonly --csr /mnt/certs/renewal.csr --dry-run

It produced this output:failed to parse CSR file
I can login to a root shell on my machine (yes or no, or I don’t know): yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.27

Hi @mdit

The “easiest” path is to to convert the certificate you created on the Linux box to PFX and then to import it in to the Windows Cert Store

You can use a tool like to check the CSR

Or openssl

openssl req -in mycsr.csr -noout -text


Hello Andrei,

thanks for the answer. Actually, the first part is alreay done. The certificate has been exported to pfx and then imported in IIS10 as well. Now I needed to renew it, and that is why I created a CSR on IIS 10.

I ran your openssl command, and it blurted out this:
unable to load X509 request
140613883728320:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:…/crypto/asn1/tasn_dec.c:1130:
140613883728320:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:…/crypto/asn1/tasn_dec.c:290:Type=X509_REQ_INFO
140613883728320:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:…/crypto/asn1/tasn_dec.c:627:Field=req_info, Type=X509_REQ
140613883728320:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:…/crypto/pem/pem_oth.c:33:

can’t really understand much of it, though.

If I run the following command, instead:

openssl asn1parse -inform pem -in /mnt/certs/renewal.csr

it just parse the file without any error or warnings…

ok just because it passes the ASN1 parse doesn’t mean the content is actually a CSR

I would regenerate the CSR as it seems somehow that the PEM you are providing is not accurate.

When you generate the CSR make sure it’s PEM formated not DER formatted.

Search both of those if it doesn’t make sesne.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.