000025943 - Cannot download CMP message signer 'CN= CN=RSA Keon Certificate Authority - Protocol Signer' from KCA to use with custom CMP client

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025943
Applies ToKeon Certificate Authority 6.5.1
Sun Solaris 2.9
Certificate Management Protocol (CMP) client
IssueCannot download CMP message signer "CN=<hostname>,CN=RSA Keon Certificate Authority - Protocol Signer" from KCA to use with custom CMP client
CauseKCA's CMP message signer is created on-the-fly, so it?s not readily available for export to the client. Therefore, the CMP client cannot verify the CMP response messages.
ResolutionThis issue has been resolved in a hot fix for KCA 6.5.1 (build 227). Contact RSA Security Customer Support to obtain KCA 6.5.1 build 227 or newer.

With the hot fix, CMP server will now use its SSL key to sign the response. The SSL key is the key that CMP server used to talk with KCA. Its corresponding certificate is signed by KCA?s system CA. You can find the certificate and the key at the KCA_INSTALL_DIR\CmpServer\ssl\ folder.
Legacy Article IDa21144