000025413 - How to configure KCA to use a server certificate signed by a trusted CA

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025413
Applies ToKeon Certificate Authority 5.7
Microsoft Windows NT 4.0 SP6a
Microsoft Internet Explorer
IssueHow to configure KCA to use a server certificate signed by a trusted CA
When users go to the Keon CA 5.7 Enrollment page, a pop-up window shows a Security Alert that claims there is a problem with the site's security certificate. When the user views the SSL server certificate, the full certificate path is not shown, and the Certificate Status shows the message "This certificate cannot be verified up to a trusted certification authority."
CauseThe signing CA and its chain up to the public root CA is not known to the KCA installation where the SSL server certificate is being used
ResolutionTo correct this issue, trust the CA that re-signed the KCA's SSL server certificate and its chain up to the public root CA in the KCA installation. To do this, go to the KCA Admin Interface, CA Operations workbench, select the option 'trust CA certificate', and follow the procedure to trust all CAs one by one. Make sure you trust the CAs in order such that the root CA is trusted first and the CA that signed the server certificate is the last one. Finally, restart KCA services.
WorkaroundTrying to use a SSL server certificate with KCA 5.7 Enrollment Server that was signed by a CA that chains up to a public root CA
Updated the KCA's httpd.conf (in the WebServer\conf directory) and changed the parameter 'SSLServerCertificateFile' for the Enrollment Server's virtual host to point to a server certificate re-signed by a CA chained up to a public root CA. Or, updated the file WebServer\ssl\certs\enrollServer.cert to contain the new re-signed server certificate.
Legacy Article IDa16326

Attachments

    Outcomes