An important factor to be aware of is that on KCA 6.5 with FIPS Level 3, the encryption certificate is created at the time when it is downloaded. This means that at the time when the certificate is to be downloaded, the CA must have access to its private keys. There are two ways the private keys are going to be accessible:
1. The OCS for the jurisdiction is still active (which means one of the cards in the cardset is still inserted) and the CA is not correctly noticing that it is not supposed to do "Prompt every time" (see below)
2. The OCS in use has been configured for persistent and the keys previously unlocked
An easy test to confirm if your CA (and its cardset) is correctly configured is to do check the following:
1. Enroll for a certificate
2. Approve it
3. Enroll for another certificate
4. Approve it
Question - how many times did you need to type in your PIN(s) for the OCS? If your answer is more than once, the CA is not configured correctly, as this would mean that at the point in time when the end-user tries to get the CA to create and download the encryption certificate that the CA is not going to have access to its keys (and generates the error message).
For more information, see the solution regarding
[XrcXUDADUNABLE]: unable to contact directory server.