|Applies To||RSA Key Manager C Client 2.x|
RSA Key Manager Server
|Issue||How to get and save a server certificate or a root CA certificate?|
Windows Event viewer contains the error "R_KM_KEY_encrypt_by_class - Error getting key by class, ret: 10040%0a."
RKM Error 10040 - R_KM_ERROR_CA_CERT
ERROR: R_KM_KEY_get_by_class by Key Class <Key Class Name> returned 10040
BSAFE MES Error : 14095418
|Cause||Client does not trust the server certificate|
Client Root CA is not trusted by the web server
This issue may also occur when RKM Client uses a self signed certificate
|Resolution||The configuration parameter clientTrustedRoots (C API) or pki.server_keystore_file (Java API) must point to the certificate of the Web Server SSL certificate's Issuing CA or Root CA, and not the Issuer of the RKM client certificate.|
There are many ways to obtain the server's CA certificate, including contacting the Web server Administrator. Another is to follow this procedure:
1. Access the RKM Administrative site with Internet Explorer, e.g. <https://YourWebServer/KMS/>
2. At the login page, double-click on the SSL lock icon at the bottom right of the window (IE 6), or click the SSL lock icon to the right of the address bar and View certificates (IE 8) to view the SSL Web server certificate.
3. The certificate will be displayed in a viewer window.
To save the server certificate:
- Click on the tab labeled "Details"
- Click on the "Copy to File..." button
- A wizard launches. Click Next -> Select "Base 64 encoded X.509 (.CER)" and click Next -> Specify the path and filename to save the certificate file and click Next -> Click Finish
To save the root certificate:
Click on the tab labeled "Certification Path"
4. Double click on the first certificate in the chain (the top-most one) -- this is the Root CA for the SSL certificate.
5. A second certificate viewer window will open.
6. In the new window, click on the tab labeled "Details"
7. Click on the "Copy to File..." button
8. A wizard launches. Click Next -> Select "Base 64 encoded X.509 (.CER)" and click Next -> Specify the path and filename to save the certificate file and click Next -> Click Finish
Alternatively, you can check the server certificate on the Web server. For example, for IIS:
Make sure to use a client certificate issued off a Root CA, not self signed certificate.
|Legacy Article ID||a39008|