000025954 - Imported CA not showing Root chain in KCA Admin Console

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000025954
Applies ToKeon Certificate Authority 6.0
IssueImported CA not showing Root chain in KCA Admin Console
Took a CA certificate from one KCA installation (KCA1) over to the other KCA installation (KCA2) and signed it by the KCA2's Root CA.  The new re-signed CA certificate got the entire chain.  Then imported the re-signed CA certificate back into KCA1.  Trusted KCA2's Root CA on KCA1.   However even KCA2's Root CA is trusted on KCA1, when viewing this CA under "CA Operations" workbench through the Admin Server,  the Certificate Chain still shows "Unknown".
CauseExternal Root was not trusted on KCA before importing signer.
ResolutionTrust the CA's signer BEFORE re-signing the CA's certificate. This ensures that the reissued certificate correctly identifies the CA's signer. If the CA's signer is not trusted, the reissued certificate will not identify the CA's issuer and the CA's certificate chain will begin with "Unknown". See page 162 in the RSA Keon CA 6.0 Administrator's Guide.

Related solution:  Creating a CA hierarchy across multiple Sentry CA/Keon CA installations.
Legacy Article IDa7741