|Issue||Updating the certificate for a jks store and verifying the contents using keytool|
SSO top-level profile exception: , com.rsa.fim.profile.sso.SSOProfileException: Error signing assertion: util.crypto.dsig.error.sign: null
Caused by: com.rsa.fim.exception.CryptoUtilException: util.crypto.dsig.error.sign: null at com.rsa.fim.util.crypto.DSigHelper.sign(DSigHelper.java:124)
When replacing the certificate for an existing private key, the existing certificate will be overwritten with the new certificate by keytool. This is true for either a self signed certificate or for a certificate that has been signed by a CA.
To list the certificates enter the command "keytool -list -v -keystore mykeystore.jks"
If you have the private key in the keystore it will report back "Entry type: keyEntry" whereas if the private key is not present it will say "Entry type: trustedCertEntry"
The match up of certificate to private key is performed if the alias is the same, so before importing the certificate response from the CA make sure the alais value is correct.
To import the certificate reply from the CA with the signed certificate run "keytool -import -alias mykey -trustcacerts -file myjks.cer -keystore mykeystore.jks"
If the alias is matched to the private key during the import you will see this message: "Certificate reply was installed in keystore"
|Workaround||Certificate was renewed and the private key is unchanged.|
|Notes||The jks store can contain entry types of trustedCertEntry and keyEntry. The keyEntry type represents a certificate for which you have the private key, and the trustedCertEntry represents a certificate for which you only have the public key.|
|Legacy Article ID||a49650|