000017040 - AEP Proxy Windows Event Viewer App log: submitRequestToCA returned 8c020009

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017040
Applies ToRSA Certificate Manager RCM 6.8
RSA Certificate Manager (RCM)
Auto Enrollment Proxy (AEP)
IssueAEP Proxy Windows Event Viewer App log:  submitRequestToCA returned 8c020009
RCM Windows Event Viewer App log:  WsalWriteClient() failed with return code = [105]
Windows Enrollment Client Pop=up error:  The certificate request failed: Unspecified error
Xudad trace.log entry:  signing XXXX signerSignCertificate.c:1585 Return code = XrcCONVERSIONFAILURE (68)
CauseCAUSE #1:  Jurisdiction has Email Notification enabled
CAUSE #2:  Extension profiles are configured in a manner that manual user input is required. AEP is designed to function such that all information that it needs to sign a certificate request is supplied either in the request itself or is specified in the Extension Profile settings. If an Extension profile is configured such that some user input is required, RCM will be unable to issue the certificate automatically via AEP.

An example of a misconfigured extension profile (here, cRLDistPoints), is set to default to 3 cRLDP values. However, only 1 value is actually set. Therefore, some user input is required to either supply the other 2 values or to change the extension so that only 1 cRLDP is included.

{
  name : 'CRL Distribution Points',
  type : 'mandatory',
  autogenerate : false,
  critical : {
    def : false,
    editable : false,
    visible : true,
    type : 'mandatory'
  },
  cRLDistPointsSyntax : {
    def : 3,
    min : 1,
    max : 10,
    visible : true,
    editable : true,
    type : 'mandatory',
    elements : [
      {
        editable : true,
        visible : true,
        type : 'optional',
        distributionPoint : {
          def : 'fullName',
          editable : true,
          visible : true,
          type : 'mandatory',
          value : {
            min : 1,
            max : 10,
            def : 1,
            editable : true,
            visible : true,
            elements : [
              {
                def : 'uRI',
                editable : true,
                visible : true,
                type : 'mandatory',
                value : {
                  def : 'http://profileenforceworks',
                  editable : true,
                  visible : true,
                  type : 'mandatory',
                  validator : 'extCheckGenName(this)'
                }
              }
            ]
          }
        }
      }
    ]
  }
}


A good way to test this is to manually issue a certificate request that has been submitted via AEP. If the manual process requires you to enter some input (the wizard will not let you continue without supplying a parameter), then the request cannot be automatically vetted and signed.
ResolutionSOLUTION for CAUSE #1:
If the Jurisdiction has Email Notification enabled and there are any errors with SMTP, then these error and behavior will occur.  The client machine will get the unspecified error when certificate enrollment is attempted via the MMC Certificates plugin yet the certificate will be created by RCM.

This behavior is caused by the AEP proxy not knowing what to do with the SMTP error information and ending it?s client session before download is complete.  Email notification is NOT needed for an AEP enabled Jurisdiction.  Because of the automatic generation and immediate download of certs, email notification to the subscriber or vettor is NOT needed.  As  a matter of best practice, AEP should use dedicated Jurisdiction(s) which are typically NOT used for manual enrollment.

This issue is avoidable if a dedicated Jurisdiction for AEP is created that has email disabled.
SOLUTION for CAUSE #2:
Update any extension profiles that are required for your AEP issued certificates to ensure that valid values are supplied in the extension profile definition. Verify that requests can be processed manually without requiring additional user input.
Legacy Article IDa51285

Attachments

    Outcomes