000018610 - Cannot fetch CRL for an imported CA

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000018610
Applies ToSentry CA 4.x
Keon Certificate Authority
TechNote 0269
IssueCannot fetch CRL for an imported CA
CRL import fails and the importation result is XrcLDAPUNABLE
CauseWhen attempting to fetch the CRL for an imported CA from an LDAP directory, Keon Sentry uses the DN contained in the CA certificate. However, if the DN contained in the CA certificate does not match the DN of the CRL stored in the external LDAP directory or if the DN contains multiple OU values, the CRL import will fail and the importation result will be XrcLDAPUNABLE.
ResolutionInclude the crlFetchDN directive with the correct DN in the xudad.conf file as documented in section 5.1.3 "Importing CRLs from Trusted CAs -  LDAP CRL Import Process" of the Sentry CA Administrator's Guide, e.g.:

    crlFetchDN md5=<CA's md5> <LDAP fetch DN>
Legacy Article IDa2364

Attachments

    Outcomes