|Applies To||Keon Certificate Authority 5.7|
Microsoft Windows NT 4.0 SP6a
Microsoft Internet Explorer
|Issue||How to configure KCA to use a server certificate signed by a trusted CA|
When users go to the Keon CA 5.7 Enrollment page, a pop-up window shows a Security Alert that claims there is a problem with the site's security certificate. When the user views the SSL server certificate, the full certificate path is not shown, and the Certificate Status shows the message "This certificate cannot be verified up to a trusted certification authority."
|Cause||The signing CA and its chain up to the public root CA is not known to the KCA installation where the SSL server certificate is being used|
|Resolution||To correct this issue, trust the CA that re-signed the KCA's SSL server certificate and its chain up to the public root CA in the KCA installation. To do this, go to the KCA Admin Interface, CA Operations workbench, select the option 'trust CA certificate', and follow the procedure to trust all CAs one by one. Make sure you trust the CAs in order such that the root CA is trusted first and the CA that signed the server certificate is the last one. Finally, restart KCA services.|
|Workaround||Trying to use a SSL server certificate with KCA 5.7 Enrollment Server that was signed by a CA that chains up to a public root CA|
Updated the KCA's httpd.conf (in the WebServer\conf directory) and changed the parameter 'SSLServerCertificateFile' for the Enrollment Server's virtual host to point to a server certificate re-signed by a CA chained up to a public root CA. Or, updated the file WebServer\ssl\certs\enrollServer.cert to contain the new re-signed server certificate.
|Legacy Article ID||a16326|