000026087 - How to get and save a server certificate or a root CA certificate?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026087
Applies ToRSA Key Manager C Client 2.x
RSA Key Manager Server
IssueHow to get and save a server certificate or a root CA certificate?
Windows Event viewer contains the error "R_KM_KEY_encrypt_by_class - Error getting key by class, ret: 10040%0a."
RKM Error 10040 - R_KM_ERROR_CA_CERT
ERROR: R_KM_KEY_get_by_class by Key Class <Key Class Name> returned 10040
BSAFE MES Error : 14095418
CauseClient does not trust the server certificate
Client Root CA is not trusted by the web server
This issue may also occur when RKM Client uses a self signed certificate
ResolutionThe configuration parameter clientTrustedRoots (C API) or pki.server_keystore_file (Java API) must point to the certificate of the Web Server SSL certificate's Issuing CA or Root CA, and not the Issuer of the RKM client certificate.
There are many ways to obtain the server's CA certificate, including contacting the Web server Administrator. Another is to follow this procedure:
1. Access the RKM Administrative site with Internet Explorer, e.g. <https://YourWebServer/KMS/>
2. At the login page, double-click on the SSL lock icon at the bottom right of the window (IE 6), or click the SSL lock icon to the right of the address bar and View certificates (IE 8) to view the SSL Web server certificate.
3. The certificate will be displayed in a viewer window.
To save the server certificate:
- Click on the tab labeled "Details"
- Click on the "Copy to File..." button
- A wizard launches. Click Next -> Select "Base 64 encoded X.509 (.CER)" and click Next -> Specify the path and filename to save the certificate file and click Next -> Click Finish
To save the root certificate:
Click on the tab labeled "Certification Path"
4. Double click on the first certificate in the chain (the top-most one) -- this is the Root CA for the SSL certificate.
5. A second certificate viewer window will open.
6. In the new window, click on the tab labeled "Details"
7. Click on the "Copy to File..." button
8. A wizard launches. Click Next -> Select "Base 64 encoded X.509 (.CER)" and click Next -> Specify the path and filename to save the certificate file and click Next -> Click Finish

Use this path and filename as input to the 'clientTrustedRoots' parameter in your RKM installation.
e.g. C client:
   clientTrustedRoots=c:\mycerts\myca.crt
Java client:
   pki.server_keystore_file=c:/mycerts/myca.crt
With the Java client, make sure that the extension of the certificate reflects its encoding (use .pem if PEM encoded).



Alternatively, you can check the server certificate on the Web server.  For example, for IIS:
Open IIS Manager, select Web Sites > Default Web Site > Properties > Directory Security > View Certificate > Certification Path
and proceed with Step 4 above.


Make sure to use a client certificate issued off a Root CA, not self signed certificate.
Legacy Article IDa39008

Attachments

    Outcomes