000020207 - Problems with Keon Registration Authority after resigning SSL server certificate

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020207
Applies ToKeon Certificate Authority 6.0.2
Keon Registration Authority 6.0.2
Sun Solaris 2.8
RSA Public Root Signing
IssueProblems with Keon Registration Authority after resigning SSL server certificate
Had root signed by public root and installed the newly signed issuing CA on the KCA. Followed procedures in KCA and KRA admin guides to resign SSL server certificate with new Root CA. After doing this, it appears the KRA  doesn't have knowledge of the newly signed certificate chain; when you initiate an SSL session with the KRA, the issuers are not presented to the client as they are with the KCA.
CauseThe Root CA that has been re-signed is not updated in the KRA database. It contains the old Root certificate received during installation.
ResolutionA defect (tst00034005) has been opened with Engineering and will be addressed in a future Keon Registration Authority release. As a workaround, there are 2 options:

1. Uninstall and reinstall Keon Registration Authority

2. Contact RSA Security Customer Support for information on updating the Root CA certificate in the KRA database
WorkaroundOriginal KCA Root CA re-signed with Public Root
Legacy Article IDa15199