|Applies To||Keon Certificate Authority 6.5.1|
Microsoft Windows 2000 Server SP4
Microsoft Internet Explorer 6.0
|Issue||End user cannot renew certificate due to host name resolution problems in RSA Keon Certificate Authority|
End user attempted to auto-renew an expiring certificate following the usual steps:
- Went to the Keon Certificate Authority (KCA) Enrollment Server (usually https://<KCA-host-fqdn>:443/domain-main.xuda)
- Selected the correct jurisdiction (that was already configured to allow certificate renewals)
- Selected the link "Renew your client certificate"
- Clicked OK on a pop-up box with a warning that the renew operation required client authentication etc
- Selected the certificate to be renewed (provided that more than one eligible certificates were available in the browser certificate store)
- A page shows description to the certificate to be renewed
- Finally, user clicked on the 'Renew Certificate' button
Instead of being presented with a re-issued new certificate, the browser showed an error that the server, with a short host name (that is, not a fully qualified domain name), was not found.
Immediately before re-issuing the certificate, the user was being redirected to a URL with a short host name (not a fully-qualified domain name), which the user's computer could not resolve to an IP address. The short name, instead of the fully qualified domain name, was used by the KCA Enrollment Server to compose that URL due to how the Web server (KCA Administration Server) was configured during KCA installation. During the KCA installation, a short name for the host was used.
To correct this issue, edit the KCA Administration Server's configuration file, <KCA-install-dir>\WebServer\conf\httpd.conf, and find all instances of the directive "ServerName". Update the short names used for all "ServerName" directives with the fully qualified domain name. Then restart the "RSA Keon CA 6.5.1 (Administration)" service.
|Legacy Article ID||a25326|