|Applies To||Keon Certificate Authority 6.0|
Microsoft Windows 2000 Server SP4
|Issue||Keon Certificate Authority (KCA) shows LDAP failures on the web-based KCA administrative console (if it's already running) and the KCA Administration Server does not start (if stopped)|
The following error shows on the KCA administrative interface (if the KCA Administration Server is already running):
!LDAP Search(): [XrcLDAPUNABLE] unspecified failure in LDAP operation
The KCA Administration Server log files (in the directory <KCA-installation-dir>\WebServer\logs\) admin-cipher.log and renewal-cipher.log show the following errors:
Init: Ops, you want to request client authentication, but no CAs are known for verification!? [Hint: SSLCACertificate*]
The above error signifies that the KCA Administration Server can not retrieve a list of known CA certificates from the KCA Secure Directory Server (possibly due to failed LDAP SSL connection).
|Cause||KCA's internal SSL server certificates (in the directories WebServer\ssl\certs\, LogServer\ssl\certs\, LogServer\sign\certs\, CmpServer\ssl\certs\, Xudad\ssl\certs\) have expired|
KCA's System CA and/or Administrative CA certificates have expired
The Administrator's certificate (stored in the web browser) issued by the Administrative CA has expired
Verify that the SSL server, the System CA, and/or the Administrative CA certificates have expired. The various KCA SSL server certificates can be inspected by copying them to a temporary directory on a Windows box with file extension ".cer", and then opening each certificate file by double clicking on the file name in Windows Explorer. The System CA is usually saved in the <KCA-installation-dir>\LogServer\ssl\certs\cas.cert file. Its validity dates can also be inspected using the above procedure. The Administrative CA certificate usually expires a few days earlier than the System CA certificate.
|Legacy Article ID||a27157|