000012345 - Only get 1 certificate template to enroll successfully using AEP  even though there 3 custom V2 templates.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000012345
Applies ToRSA Certificate Manager (RCM)
RSA Certificate Manager RCM 6.8
Auto Enrollment Proxy (AEP)
IssueOnly get 1 certificate template to enroll successfully using AEP, even though there 3 custom V2 templates.

Turning on full debug in AEP and enabling audit logging in RCM gave the following errors:

AEP: thread=dd4 errorReason checking: error value = CA not available in the database.

 

RCM 6.8 build 520:

<![CDATA[Receive a certificate request failed:certificate presented: md5=f2e7b896544f0c931cd8a6ae5638d504;  Request ID:C0A8390B0000027C000000010000002F; Request Status:Refused; Refuse Reason:invalid signature]]>

<![CDATA[Certificate signing: failed;  [XrcDECODINGFAILURE: unable to complete decoding operation]; certificate presented: md5=ea158beaccdd55d2de552ce2e7b9b156]]></LOG_DATA>

Cause

The root cause of this issue was that the instructions in the Windows PKI admin guide don?t give complete instructions for modifying the aep.xuda file.

If you want to add multiple templates to aep.xuda, you need to add them using the ?!elseif? clause. If you have multiple ?!if? clauses in the aep.xuda file, only the first ?!if? clause will be honored and the other ?!if? clause templates will not be loaded.

Resolution

If you want to add multiple templates to aep.xuda, you need to add them using the ?!elseif? clause. If you have multiple ?!if? clauses in the aep.xuda file, only the first ?!if? clause will be honored and the other ?!if? clause templates will not be loaded.

Here?s an example snippet aep.xuda file that is showing the correctly configured templates. The new templates added are ?JDT Users?, ?JDT Sign?, and ?JDT Admin?. 
 

<!-- XUDA BEGIN -->

 

<!-- LDAP SEARCH (&(objectclass=xuda_ca)(pem_x509=[ca])) -->

!if RESULT="XrcOK"

  [@domainid=['2fad530e3e696a7fe9caca7bac7aa95d0b328507']]

  [@ca=[xuda_ca.MD5]]

  [@PRO='No Extensions'] 

  [@customSAN="0"]

  [@useAD='1']

<!-- For Version 1 templates --> 

!if  profileId="DEFINED"

                [@pkcs10input=[cert_request]]

                !if profileId="Machine"

                  [@PRO='No Extensions']

                !elseif profileId="DomainController"

                  [@PRO='No Extensions']

                !elseif profileId="User"

                  [@PRO='No Extensions']

                !endif

!else

<!-- For Version 2 templates -->

                [@mypem="manohar"]

                [@myoid="1.2"]

               

                !parsecmc([cert_request],mypem,myoid,spk)

 

                <!-- JDT Users -->

                !if myoid="1.3.6.1.4.1.311.21.8.6368879.10874727.7947197.688262.4259192.242.730488.5998425"

                  [@PRO='1'] 

                  [@domainid='2fad530e3e696a7fe9caca7bac7aa95d0b328507']

 

                <!-- JDT Sign -->

                !elseif  myoid="1.3.6.1.4.1.311.21.8.6368879.10874727.7947197.688262.4259192.242.13972722.9132665"

                  [@PRO='1'] 

                  [@domainid='2fad530e3e696a7fe9caca7bac7aa95d0b328507']

 

                <!-- JDT Admin -->

                !elseif  myoid="1.3.6.1.4.1.311.21.8.6368879.10874727.7947197.688262.4259192.242.5106110.3800228"

                  [@PRO='1'] 

                  [@domainid='2fad530e3e696a7fe9caca7bac7aa95d0b328507']

 

 

                <!-- Smartcard Logon 2 -->

                !elseif myoid="1.3.6.1.4.1.311.21.8.1405048.9933100.9061002.5889418.1005204.123.6251361.11524077"

                  [@PRO='No Extensions'] 

                  [@domainid='f2d1d48d45390fb976447da98d787de8046c1d26']               

 

                <!-- Workstation Authentication -->

                !elseif myoid="1.3.6.1.4.1.311.21.8.1405048.9933100.9061002.5889418.1005204.123.1.30"

                  [@domainid='b9a2048bed81c05c132260177e294b3f47f565fa']                   

                  [@PRO='1'] 

 

                <!-- Directory Email Replication -->

                !elseif myoid="1.3.6.1.4.1.311.21.8.1405048.9933100.9061002.5889418.1005204.123.1.29"

                  [@domainid='b9a2048bed81c05c132260177e294b3f47f565fa'] 

                  [@PRO='No Extensions'] 

 

                <!-- Domain Controller Authentication -->

                !elseif myoid="1.3.6.1.4.1.311.21.8.1405048.9933100.9061002.5889418.1005204.123.1.28"

                  [@domainid='b9a2048bed81c05c132260177e294b3f47f565fa']                   

                  [@PRO='No Extensions'] 

 

                <!-- CA Exchange -->

                !elseif myoid="1.3.6.1.4.1.311.21.8.1405048.9933100.9061002.5889418.1005204.123.1.26"

                  [@PRO='No Extensions'] 

 

                <!-- Key Recovery Agent -->

                !elseif myoid="1.3.6.1.4.1.311.21.8.1405048.9933100.9061002.5889418.1005204.123.1.27"

                  [@PRO='No Extensions'] 

                !endif

                [@pkcs10input=[mypem]]

!endif

 

NotesCERTMGR-3911
Legacy Article IDa55219

Attachments

    Outcomes