000019899 - Keon: KCA fails to re-sign external CA certificates and gives 'XrcBADSYNTAX: syntax error'

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000019899
Applies ToKeon Certificate Authority 6.0.2
Microsoft Windows NT 4.0 SP6a
IssueKeon: KCA fails to re-sign external CA certificates and gives "XrcBADSYNTAX: syntax error"
Error: "XrcBADSYNTAX: syntax error" when attempting to use offline KCA to re-sign a CA exported from an online KCA installation
Problem using the "re-sign external CA certificate" feature located in the CA operations workbench
If the external certificate to be re-signed has a CN in the DN, the offline CA will successfully re-sign the external CA certificate
CauseThe external certificate to be re-signed does not have a Common Name (CN) in the Distinguished Name (DN)
ResolutionWorkaround: On the online CA, generate a PKCS10 request from the CA you want to resign. Then, submit that request in the enrollment pages of the offline CA and approve it using Certificate Operations Workbench. Now replace the CA with the newly-signed CA certificate onto the online CA. There appear to be no restrictions with this workaround.

The problem using the "re-sign external CA certificate" feature has been confirmed by RSA Security as a defect (ref# tst00032349). This will be fixed in a future release of Keon Certificate Authority.
Legacy Article IDa13236

Attachments

    Outcomes