000012336 - Upgrade fails due to duplicate keys found for two CA objects

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000012336
Applies ToRSA Keon Certificate Authority 6.0.2
RSA Certificate Manager 6.8
IssueUpgrade fails due to duplicate keys found for two CA objects
Upgrade fails in the second phase (running ./INSTALL and using package.tar generated from KCA 6.0.2) with the following error in upgrader.log:

2010.02.05-15:27: --------------------------------------------------------
2010.02.05-15:27:                 B E G I N   I N S T A L L
2010.02.05-15:27: --------------------------------------------------------
2010.02.05-15:27: Processing old Log Server configuration file...
2010.02.05-15:27: Processing old Directory configuration file...
2010.02.05-15:27: Processing old Administration configuration file...
2010.02.05-15:27: Processing old CMP Server configuration file...
2010.02.05-15:28: Creating directories in new installation...
2010.02.05-15:28: Copying server certificates and keys...
2010.02.05-15:29: Configuring Secure Directory Server...
2010.02.05-15:29: Indexing database...
2010.02.05-15:29: This may take a while. Please be patient.
2010.02.05-16:20: Configuring CMP server...
2010.02.05-16:20: Configuring Enrollment and Administration servers...
2010.02.05-16:20: Configuring secure logging server...
2010.02.05-16:20: Updating database for new configuration...
2010.02.05-16:20: DoUpgradeFromPreHiAvailability: UpdateCRLFromPreHiAvailability for caMd5:abcabcabcabcacbacbabcabcabcabcab
2010.02.05-16:20: DoUpgradeFromPreHiAvailability: UpdateCRLFromPreHiAvailability: Maximum number of iterations from UpgraderTemp.out: 0
2010.02.05-16:20: DoUpgradeFromPreHiAvailability: UpdateCRLFromPreHiAvailability for caMd5:ab12ab12ab12ab12ab12ab12ab12ab1
2010.02.05-16:20: DoUpgradeFromPreHiAvailability: UpdateCRLFromPreHiAvailability: Maximum number of iterations from UpgraderTemp.out: 0
2010.02.05-16:20: DoUpgradeFromPreHiAvailability: UpdateCRLFromPreHiAvailability for caMd5:123abc123abc123abc123abc123abc1
2010.02.05-16:20: DoUpgradeFromPreHiAvailability: UpdateCRLFromPreHiAvailability: Maximum number of iterations from UpgraderTemp.out: 0
2010.02.05-16:20: DoUpgradeFromPreHiAvailability: UpdateCRLFromPreHiAvailability for caMd5:def123def123def123def123def123def
2010.02.05-16:20: DoUpgradeFromPreHiAvailability: UpdateCRLFromPreHiAvailability: Maximum number of iterations from UpgraderTemp.out: 0
2010.02.05-16:20: DoUpgradeFromPreHiAvailability: UpdateCRLFromPreHiAvailability for caMd5:ab345ab345ab345ab345ab345ab345a
2010.02.05-16:20: DoUpgradeFromPreHiAvailability: UpdateCRLFromPreHiAvailability: Maximum number of iterations from UpgraderTemp.out: 0
2010.02.05-16:20: DoUpgradeFromPreHiAvailability: UpdateCRLFromPreHiAvailability for caMd5:756adf756adf756adf756adf756adf756
2010.02.05-16:20: DoUpgradeFromPreHiAvailability: UpdateCRLFromPreHiAvailability: Maximum number of iterations from UpgraderTemp.out: 0
2010.02.05-16:20: DoUpgradeFromPreHiAvailability: UpdateCRLFromPreHiAvailability for caMd5:876bca876bca876bca876bca876bca87
2010.02.05-16:20: DoUpgradeFromPreHiAvailability: UpdateCRLFromPreHiAvailability: Maximum number of iterations from UpgraderTemp.out: 0
2010.02.05-16:20: DoUpgradeFromPreHiAvailability: UpdateCRLFromPreHiAvailability for caMd5:1a2b3c1a2b3c1a2b3c1a2b3c1a2b3c1a
2010.02.05-16:20: DoUpgradeFromPreHiAvailability: UpdateCRLFromPreHiAvailability: Maximum number of iterations from UpgraderTemp.out: 0
2010.02.05-16:20: DoUpgradeFromPreHiAvailability: UpdateCRLFromPreHiAvailability for caMd5:cad481cad481cad481cad481cad481ca
2010.02.05-16:20: DoUpgradeFromPreHiAvailability: UpdateCRLFromPreHiAvailability: Maximum number of iterations from UpgraderTemp.out: 0
2010.02.05-16:20: Following CA has identical key pair in the database:
2010.02.05-16:20:     md5: ab345ab345ab345ab345ab345ab345a
2010.02.05-16:20: Please contact custom support.

2010.02.05-16:20: UpdateKeypairForCA: Caught XDK Exception.
--- UpdateKeypairForCA: Identical key pair has been found in the database. The Upgrader will be terminated. Please contact custom support.
2010.02.05-16:20: DoUpgradeFromPreCARefactor: Caught XDK Exception.
--- UpdateKeypairForCA: Identical key pair has been found in the database. The Upgrader will be terminated. Please contact custom support.
2010.02.05-16:20: PerformDatabaseAdjustments: Caught XDK Exception.
--- UpdateKeypairForCA: Identical key pair has been found in the database. The Upgrader will be terminated. Please contact custom support.
CauseTwo CA objects in the database had the same public key (and/or certificate) resulting in the above exception.  Note that the CA md5 pointed out in the upgrader log might not necessarily be one of those CA's with the duplicate public key.
ResolutionThere is no fix available at this time to automatically handle such a situation during the upgrade.  Contact RSA Customer Support to investigate solutions that may apply to your deployment of Certificate Manager.

If one or both CA's with duplicate public keys are not needed, a workaround is to replace one of the CA's cert with a dummy one in its XUDA_CA object in package/Xudad/db/upgrade.ldif, recreate package.tar, and then attempt the upgrade again.  Any of those CA's that are no longer needed can be deleted through RSA Certificate Manager administrative interface.  If this scenario applies to you, contact RSA Customer Support to get assistance with the workaround.
WorkaroundUpgrading Keon Certificate Authority (KCA) 6.0.2 to RSA Certificate Manager (RCM) 6.8 build 514
NotesCERTMGR-3754
CERTMGR-1618
Legacy Article IDa50250

Attachments

    Outcomes