|Applies To||Sentry Certificate Authority (CA)|
Sentry Registration Authority (RA)
Keon Certificate Authority
Keon Registration Authority
Microsoft Internet Explorer
|Issue||Browsers unable to verify certificate chain|
This problem occurs when you have vetted and issued an end-entity cert with v3 extensions of which one of them is the Authority Key Identifier (AKI). You have downloaded the CA cert into your browser and trusted it.
You tried to verify the chain between the two certs and the browsers display the following error:
- "Unable to Find Certificate Authority" message (for Netscape Navigator) or
- displays an exclamation mark on the issuing CA's cert and displays "The issuer of this certificate was not able to be found" message for the Certificate status (for Microsoft Internet Explorer).
|Cause||The problem is that the CA cert is missing an extension, namely the Subject Key Identifier (SKI). Because Sentry/Keon CA is built according to the RFC standards, it is defined in RFC 2459 that the SKI extension must be used in all conforming CA certs to facilitate chain building (section 220.127.116.11). The AKI must also be included in all certs that are generated by the conforming CAs to facilitate chain building (section 18.104.22.168). The URL to this RFC is: http://www.ietf.org/rfc/rfc2459.txt?number=2459|
|Resolution||The solution is to either resign the CA cert using the Resigning function in Sentry/Keon CA and specify the correct extension, Subject Key Identifier, as part of a new extension. Delete the old CA cert from the browsers and reload the new CA cert into the browser. You will receive a cert successfully verified message from the browsers.|
|Legacy Article ID||a3170|