000019895 - How to re-issue expired (or about to expire) server certificates for KRA?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000019895
Applies ToKeon Registration Authority 6.0.2
Keon Certificate Authority 6.0.2
Microsoft Windows 2000 Server SP2
Microsoft Windows NT 4.0 SP6a
IssueHow to re-issue expired (or about to expire) server certificates for KRA?
KRA Administration Server continues to reload when KRA services are restarted
The following entries may show up in the <KRA-install-dir>\WebServer\logs\admin-cipher.log file:
[<date/time> <id>] [info]  Init: Loading certificate & private key of SSL-aware server <host-name>:<admin-port>
[<date/time> <id>] [info]  Init: Configuring server <host-name>:<admin-port> for SSL protocol
[<date/time> <id>] [warn]  Init: Ops, you want to request client authentication, but no CAs are known for verification!? [Hint: SSLCACertificate*]
KRA server certificates were expired, and replaced the server certificates with newly reissued certificates (followed procedures described in the KRA and KCA Administrator's Guide). The KRA services start, but get the following error when attempt to go to the KRA Admin interface on the browser:

Program Error
!LDAP Search(): [XrcLDAPUNABLE] unspecified failure in LDAP operation.
CauseWhen the KRA server certificates are reissued through the KCA Admin interface, the KCA LDAP rules are modified with the MD5's of the new KRA admin.cert and scep.cert. However, those reissued certificates are not copied into the KRA database, and the KRA LDAP rules are not modified. This step is not documented in the KRA or KCA 6.0.2 guides, and needs to be done manually.
ResolutionAfter the KRA server certificates have been issued through the KCA Admin interface, do not replace the old KRA server certs with the new ones until the following procedure has been completed. Please see the note at the end of this solution on how to get the correct MD5's (referenced in the steps below) for the server certificates.

On KCA (where the target CA for the KRA is hosted):

1. Stop KCA services and make a full backup of the KCA installation

2. On the command prompt, go to <KCA-install-dir>\Xudad\db directory, and run the following command:

C:\<KCA-install-dir>\Xudad\db\>..\bin\ldbmcat -n id2entry.dbh > kcadb.ldif

This will generate a text file "kcadb.ldif" that will contain the complete KCA database

3. Start KCA services

4. Open the file "kcadb.ldif" using a text editor and locate the xuda_certificate objects in kcadb.ldif corresponding to the new KRA server certs (by looking up the MD5's). Then, copy those to a temporary text file, say, "certs-to-add.txt".

5. Copy this temp file ("certs-to-add.txt" created in step 4 above) to the KRA box


6. Stop KRA services and make a full backup of the KRA installation

7. If the old KRA server certs have not yet expired, start KRA services and modify the LDAP rules as follows:
      a. Make a note of the MD5/Certificate ID of all the re-issued KRA server certificates, especially for the new admin.cert (KRA Administration Client certificate), enroll.cert (KRA Enrollment Client certificate), and scep.cert (KRA SCEP Client certificate).
      b. Go to the "System Configuration" workbench, and click on "LDAP rules"
      c. By default, the LDAP rules only contain md5s of admin.cert, enroll.cert, and scep.cert.  Add new line(s) in each of the LDAP rule to allow appropriate access to the new KRA server certificates.  DO NOT REMOVE any existing line, only add new lines.  Each new line may look like:
               by dn="md5=xxxxxxxxxxxxxxxxxxxxxxxxxxx" write
      d. Save the updated LDAP rules by clicking the "Save ACL rules to database" button

8. If the old KRA server certs have already expired, KRA may not start. In this case, temporarily set the system clock back appropriately so the expired certs become valid for that machine. Note that the KRA services will start, but you may not be able to access the KRA Admin interface.

If the LDAP rules still cannot be accessed through the KRA Admin interface, follow these steps:
       a. Go to the url, http://<KRA-host-name>:<admin-port>/ra/admin/listuclass.xuda
Click on "List" link for objectclass "umichACL"
       c. Click on "Edit" button for the object "entry=uofmacl,o=acl"
       d. Copy the text from the attribute "ACLTEXT". Note that only one line appears on the browser for this attribute, but in fact the value is a complete listing of the LDAP rules which you can view by scrolling down in the edit box. Make sure that you copy the entire LDAP rules.
       e. Paste the LDAP rules in a text editor and modify the rules according to the procedure listed in Step #7 above
       f. After modifying the rules, copy them back to the text edit box against "ACLTEXT" attribute
       g. Save the rules by clicking on the "REPLACE Object" button

Now reset the system clock to the current date/time and stop KRA services

9. On the command prompt, go to <KRA-install-dir>\Xudad\db directory, and run the following command:

C:\<KRA-install-dir>\Xudad\db\>rsakeon_reindex.bat ..\bin kradb

This will generate a text file "kradb.ldif" and will wait for you to press any key after the following message:

"Okay, that worked.........."

DO NOT press any keys at this point. Some changes need to be made to the kradb.ldif file before continuing with the above script.

10. Add the contents of "certs-to-add.txt" (created in step 4 above) to kradb.ldif file

11. Now go back to the script rsakeon_reindex that's still in the prompt mode and press any key to continue

12. Replace the old KRA server certs with the newly reissued certs

13. Start KRA services

NOTE: While correcting/updating LDAP ACL rules, the correct MD5's need to be obtained. One way to find the correct MD5's is to use serial numbers of the admin.cert and enroll.cert by viewing through MSIE (you would have to rename the cert files with extension "crt" or "cer" for the Microsoft Certificate Manager to recognize them as digital certificates and automatically open the certificate details in a window). Then, find out the correct certs through KCA admin interface (Administrator Operations -> Installation -> cert-active) by matching those serial numbers.
WorkaroundKRA server certificates have expired
Followed the procedure to reissue KRA server certificates documented in the following guides:
KRA 6.0.2 Administrators's Guide, page 185
KCA 6.0.2 Administrator's Guide, page 374
Legacy Article IDa13212