|Applies To||Keon Certificate Authority 6.0|
|Issue||Imported CA not showing Root chain in KCA Admin Console|
Took a CA certificate from one KCA installation (KCA1) over to the other KCA installation (KCA2) and signed it by the KCA2's Root CA. The new re-signed CA certificate got the entire chain. Then imported the re-signed CA certificate back into KCA1. Trusted KCA2's Root CA on KCA1. However even KCA2's Root CA is trusted on KCA1, when viewing this CA under "CA Operations" workbench through the Admin Server, the Certificate Chain still shows "Unknown".
|Cause||External Root was not trusted on KCA before importing signer.|
|Resolution||Trust the CA's signer BEFORE re-signing the CA's certificate. This ensures that the reissued certificate correctly identifies the CA's signer. If the CA's signer is not trusted, the reissued certificate will not identify the CA's issuer and the CA's certificate chain will begin with "Unknown". See page 162 in the RSA Keon CA 6.0 Administrator's Guide.|
Related solution: Creating a CA hierarchy across multiple Sentry CA/Keon CA installations.
|Legacy Article ID||a7741|