Article Content
Article Number | 000014774 |
Applies To | RSA Federated Identity Manager (FIM) 4.1 |
Issue | "Unable to encrypt data as this certificate is not meant for Encryption" "Unable to sign as the certificate is not meant for signing or signature verification" |
Cause | Here are the possible values of KeyUsage: digitalSignature (0) nonRepudiation (1) keyEncipherment (2) dataEncipherment (3) keyAgreement (4) keyCertSign (5) cRLSign (6) encipherOnly (7) decipherOnly (8) FIM looks for these values: digitalSignature to enable signing dataEncipherment to enable encryption Set the KeyUsage bits for the 2 uses above to enable all uses in FIM for a given keystore. Hotfixes after FIM 4.0 HF8 and FIM 4.1 HF3 will allow signing and encryption with a keystore if key usage is not set or if bits 0 and 3 are set |
Resolution | Update the keystore so that the appropriate key usage(s) are set. It is permissible to not set any key usage (this allows all uses) however best practice would be to explicitly set the key usage. Different keys may be used for the signing and encryption operations. |
Legacy Article ID | a46002 |