000023168 - Why does OneStep generate two certificates if key-recovery is enabled in target jurisdiction?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000023168
Applies ToRSA Certificate Manager (RCM)
RSA Certificate Manager 6.6
RSA Certificate Manager OneStep
RSA Certificate Manager using OneStep sample
RSA Certificate Manager OneStep 6.6
IssueWhy does OneStep generate two certificates if key-recovery is enabled in target jurisdiction
OneStep CGI generates two certificates when key-recovery option is enabled in the target jurisdiction.  There is apparently no way to configure OneStep to only issue one certificate and not to issue the second certificate.  The second certificate is a key-recoverable encryption certificate issued for each certificate obtained through OneStep.
If key-recovery option is disabled in the target jurisdiction configuration, the second certificate (key-recoverable encryption certificate) is not issued automatically.
The p12 file for encryption is zero (0) bytes in size.
ResolutionThis issue has been fixed in RSA Certificate Manager OneStep 6.6 Build 307.  Contact RSA Customer Support and request build 307 or a most recent build of RSA Certificate Manager OneStep.

OneStep CGI in Build 307 has been updated to support OneStep plug-in version KCSOSV_VERSION_6.  If the plug-in version is set to KCSOSV_VERSION_4 or KCSOSV_VERSION_5, then two certificates are generated by OneStep CGI if jurisdiction is key-recovery enabled.  If the plug-in version is set to KCSOSV_VERSION_6 and the following conditions are true, then two certificates (including the key-recoverable encryption certificate) are generated otherwise only one certificate is generated:

  -- The jurisdiction used by OneStep is key-recovery enabled
  -- KCSOSD_KRCERT_GENERATE is set (to any value); other corresponding OneStep key-recovery parameters remain optional, as documented in the RSA OneStep Developer's Guide
  -- KCSOSD_KEYUSAGE is set to KCSOSV_KEYUSAGE_SIGNING

In the OneStep html file enroll_msie_flat.html, add these two lines:

<INPUT TYPE="HIDDEN" NAME="KCSOSD_KEYUSAGE" VALUE="KCSOSV_KEYUSAGE_SIGNING">
<INPUT TYPE="HIDDEN" NAME="KCSOSD_KRCERT_GENERATE" VALUE="TRUE">

Legacy Article IDa32956

Attachments

    Outcomes