000022161 - Keon Certificate Authority (KCA) shows LDAP failures on the web-based KCA administrative console (if it's already running) and the KCA Administration Server does not start (if stopped)

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000022161
Applies ToKeon Certificate Authority 6.0
Microsoft Windows 2000 Server SP4
IssueKeon Certificate Authority (KCA) shows LDAP failures on the web-based KCA administrative console (if it's already running) and the KCA Administration Server does not start (if stopped)
The following error shows on the KCA administrative interface (if the KCA Administration Server is already running):

    Program Error
    !LDAP Search(): [XrcLDAPUNABLE] unspecified failure in LDAP operation
The KCA Administration Server log files (in the directory <KCA-installation-dir>\WebServer\logs\) admin-cipher.log and renewal-cipher.log show the following errors:

    Init: Ops, you want to request client authentication, but no CAs are known for verification!? [Hint: SSLCACertificate*]

The above error signifies that the KCA Administration Server can not retrieve a list of known CA certificates from the KCA Secure Directory Server (possibly due to failed LDAP SSL connection).
CauseKCA's internal SSL server certificates (in the directories WebServer\ssl\certs\, LogServer\ssl\certs\, LogServer\sign\certs\, CmpServer\ssl\certs\, Xudad\ssl\certs\) have expired
KCA's System CA and/or Administrative CA certificates have expired
The Administrator's certificate (stored in the web browser) issued by the Administrative CA has expired
Resolution

Verify that the SSL server, the System CA, and/or the Administrative CA certificates have expired. The various KCA SSL server certificates can be inspected by copying them to a temporary directory on a Windows box with file extension ".cer", and then opening each certificate file by double clicking on the file name in Windows Explorer. The System CA is usually saved in the <KCA-installation-dir>\LogServer\ssl\certs\cas.cert file. Its validity dates can also be inspected using the above procedure. The Administrative CA certificate usually expires a few days earlier than the System CA certificate.

Listed below are the overall steps required to renew the already expired certificates:

1. Set the system date back to a date when all the above expired certificates were still valid

2. Re-sign the System CA (assuming that it has expired) to renew its validity date (CA Operations -> view System CA -> click ?Re-sign? button -> follow prompts to renew the CA certificate)

3. Re-sign the Administrative CA (assuming that it has expired) to renew its validity date (CA Operations -> view Administrative CA -> click ?Re-sign? button -> follow prompts to renew the CA certificate; note that the Administrative CA is signed by the System CA)

4. Restart all KCA services

5. Assuming that the KCA administrator certificate has also expired (or about to expire), make a new administrative certificate request (get the request URL from the KCA Administrator Operations workbench -> Administrator URLs) and issue a new administrator's certificate (from the Administrator Operations workbench)

6. Test to confirm that you can access KCA administrative web based interface using the new administrative certificate

7. Re-issue the KCA SSL server certificates, one at a time, from Administrator Operations workbench -> Server Certificates -> ?Re-issue? option.  Select admin.cert to begin with, and repeat the process for all other ?Internal Certificates?

8. Check the file system to ensure that all those certificates have been renewed and replaced

9. Update LogServer\ssl\certs\cas.cert and Xudad\ssl\certs\cas.cert to add PEM formatted new System CA certificate replacing the old one

10. Stop all KCA services

11. Change the system date back to the current date and time

12. Start all KCA services

For more details on some of the above listed steps, see the following solutions:

How to re-sign a CA that is about to expire?
How to re-issue KCA Server Certificates that are about to expire

Legacy Article IDa27157

Attachments

    Outcomes