|Applies To||Keon Certificate Authority 6.0|
Keon Registration Authority 6.0
Microsoft Internet Explorer
|Issue||Unable to use Administrators Client SSL Certificate|
Error: "The page cannot be displayed" in Web browser when accessing a secured page (client authenticated)
Error: "inst-forms/apply-acl.xuda page cannot be found" appears during Keon Registration Authority installation
If the CA certificate is installed in the IE browser and the client SSL certificate is examined, browser will display: "non valid digital signature"
Client certificate cannot be used for Client Side SSL
|Cause||If the original CA certificate did not include the Authority Key Identifier (AKI) and Subject Key Identifier (SKI) extensions, and the CA certificate is re-signed WITHOUT applying new certificate extensions (especially the AKI and SKI extensions), then the new CA will be created without AKI and SKI extensions. If the Jurisdiction Extension Profile requires certificates to have AKI and SKI, the client certificates (including KRA Administrator SSL Certificates) are created with AKI and SKI extensions, and will not chain correctly to the CA and will not be valid for SSL authentication.|
|Resolution||To correct this issue, temporarily disable the Jurisdiction Profile Enforcement on the CA, then re-sign the CA certificate with AKI and SKI extensions. For more details on the usage of AKI and SKI extensions, see RFC 3280.|
For more information, see the solutions titled Error: 'The resign CA is not allowed to Name change' when trying to resign external CA and KRA installation fails shortly after SSL certificate retrieval and port configuration.
|Workaround||The CA Certificate has been re-signed without applying new certificate extensions|
Changes have been made to the Jurisdiction for the CA, specifically "Enforce Profile Definition" on "Extension Profiles"
|Legacy Article ID||a15157|