000014774 - 'Unable to encrypt data as this certificate is not meant for Encryption' or 'Unable to sign ...'

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014774
Applies ToRSA Federated Identity Manager (FIM) 4.1

"Unable to encrypt data as this certificate is not meant for Encryption"

"Unable to sign as the certificate is not meant for signing or signature verification"
CauseHere are the possible values of KeyUsage:
           digitalSignature        (0)
           nonRepudiation          (1)
           keyEncipherment         (2)
           dataEncipherment        (3)
           keyAgreement            (4)
           keyCertSign             (5)
           cRLSign                 (6)
           encipherOnly            (7)
           decipherOnly            (8)

FIM looks for these values:
          digitalSignature to enable signing
          dataEncipherment to enable encryption
Set the KeyUsage bits for the 2 uses above to enable all uses in FIM for a given keystore. Hotfixes after FIM 4.0 HF8 and FIM 4.1 HF3 will allow signing and encryption with a keystore if key usage is not set or if bits 0 and 3 are set
ResolutionUpdate the keystore so that the appropriate key usage(s) are set. It is permissible to not set any key usage (this allows all uses) however best practice would be to explicitly set the key usage. Different keys may be used for the signing and encryption operations.
Legacy Article IDa46002