000026034 - 'Unknown error' when attempting to enroll for a certificate through OneStep Flat File sample plug-in

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026034
Applies ToRSA Certificate Manager 6.6
RSA Certificate Manager OneStep 6.6
RSA Key Recovery Manager 6.6
IssueAn attempt to enroll and issue a certificate through OneStep Flat File sample plug-in fails with the following error on the browser:

  The following error occured
  Unknown error
  Please click the button below to try again
  Back
When enrolling for certificate on the OneStep browser page, selected the option "Signing And Encryption" or "Encryption" in the Key Usage drop down box
CauseSelecting the option "Signing And Encryption" or "Encryption" in the Key Usage drop down box on OneStep certificate enrollment page sets KCSOSD_KEYUSAGE to KCSOSV_KEYUSAGE_SIGNENCRYPT or KCSOSV_KEYUSAGE_ENCRYPTION before OneStep CGI attempts to issue the certificate.  If "Signing" option is selected, KCSOSD_KEYUSAGE is set to KCSOSV_KEYUSAGE_SIGNING.

In order for OneStep CGI to automatically issue an (authentication) certificate followed by a second (key-recoverable encryption) certificate, all of the following conditions must be met:

  -- the jurisdiction used by OneStep plug-in must be key-recovery enabled
  -- KCSOSD_KRCERT_GENERATE must be set (to any value)
  -- KCSOSD_KEYUSAGE must be set to KCSOSV_KEYUSAGE_SIGNING
  -- the OneStep plug-in (in this case the Flat File sample plug-in) must use KCSOSV_VERSION_6
ResolutionSelect "Signing" option in the Key Usage drop down box on the OneStep certificate enrollment page.  Also ensure that KCSOSD_KRCERT_GENERATE is set either in the html page or in the OneStep plug-in code, the OneStep target jurisdiction is key-recovery enabled, and the OneStep plug-in is using KCSOSV_VERSION_6.

Note that Build 307 or a later fix must be applied to RSA Certificate Manager 6.6 for OneStep CGI to support KCSOSV_VERSION_6 and the above mentioned functionality.  Using KCSOSV_VERSION_6 in the plug-in also includes changes introduced in KCSOSV_VERSION_5.  See Build 307 Readme for more details.
WorkaroundApplied hot fix Build 307 on RSA Certificate Manager 6.6, and changed/configured the following to enable automatic issuing of a second (key-recoverable encryption) certificate:

  -- enabled Key Recovery in the Jurisdiction targeted by OneStep demo plug-in
  -- added the following line in <OneStep>\htmldocs\enroll_msie_flat.html to allow issuing of key-recoverable encryption certificate:
        <INPUT TYPE="HIDDEN" NAME="KCSOSD_KRCERT_GENERATE" VALUE="yes">
Legacy Article IDa32557

Attachments

    Outcomes