000021845 - End user cannot renew certificate due to host name resolution problems in RSA Keon Certificate Authority

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021845
Applies ToKeon Certificate Authority 6.5.1
Microsoft Windows 2000 Server SP4
Microsoft Internet Explorer 6.0
IssueEnd user cannot renew certificate due to host name resolution problems in RSA Keon Certificate Authority
End user attempted to auto-renew an expiring certificate following the usual steps:

- Went to the Keon Certificate Authority (KCA) Enrollment Server (usually https://<KCA-host-fqdn>:443/domain-main.xuda)
- Selected the correct jurisdiction (that was already configured to allow certificate renewals)
- Selected the link "Renew your client certificate"
- Clicked OK on a pop-up box with a warning that the renew operation required client authentication etc
- Selected the certificate to be renewed (provided that more than one eligible certificates were available in the browser certificate store)
- A page shows description to the certificate to be renewed
- Finally, user clicked on the 'Renew Certificate' button

Instead of being presented with a re-issued new certificate, the browser showed an error that the server, with a short host name (that is, not a fully qualified domain name), was not found.
Cause
Immediately before re-issuing the certificate, the user was being redirected to a URL with a short host name (not a fully-qualified domain name), which the user's computer could not resolve to an IP address. The short name, instead of the fully qualified domain name, was used by the KCA Enrollment Server to compose that URL due to how the Web server (KCA Administration Server) was configured during KCA installation. During the KCA installation, a short name for the host was used.
Resolution
To correct this issue, edit the KCA Administration Server's configuration file, <KCA-install-dir>\WebServer\conf\httpd.conf, and find all instances of the directive "ServerName". Update the short names used for all "ServerName" directives with the fully qualified domain name. Then restart the "RSA Keon CA 6.5.1 (Administration)" service.
Legacy Article IDa25326

Attachments

    Outcomes