000020196 - Unable to use Administrators Client SSL Certificate

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000020196
Applies ToKeon Certificate Authority 6.0
Keon Registration Authority 6.0
Microsoft Internet Explorer
IssueUnable to use Administrators Client SSL Certificate
Error: "The page cannot be displayed" in Web browser when accessing a secured page (client authenticated)
Error: "inst-forms/apply-acl.xuda page cannot be found" appears during Keon Registration Authority installation
If the CA certificate is installed in the IE browser and the client SSL certificate is examined, browser will display: "non valid digital signature"
Client certificate cannot be used for Client Side SSL
CauseIf the original CA certificate did not include the Authority Key Identifier (AKI) and Subject Key Identifier (SKI) extensions, and the CA certificate is re-signed WITHOUT applying new certificate extensions (especially the AKI and SKI extensions), then the new CA will be created without AKI and SKI extensions. If the Jurisdiction Extension Profile requires certificates to have AKI and SKI, the client certificates (including KRA Administrator SSL Certificates) are created with AKI and SKI extensions, and will not chain correctly to the CA and will not be valid for SSL authentication.
ResolutionTo correct this issue, temporarily disable the Jurisdiction Profile Enforcement on the CA, then re-sign the CA certificate with AKI and SKI extensions. For more details on the usage of AKI and SKI extensions, see RFC 3280.

For more information, see the solutions titled Error: 'The resign CA is not allowed to Name change' when trying to resign external CA and KRA installation fails shortly after SSL certificate retrieval and port configuration.
WorkaroundThe CA Certificate has been re-signed without applying new certificate extensions
Changes have been made to the Jurisdiction for the CA, specifically "Enforce Profile Definition" on "Extension Profiles"
Legacy Article IDa15157