How to re-issue expired (or about to expire) server certificates for KRA?
Originally Published: 2002-10-04
Article Number
Applies To
Keon Certificate Authority 6.0.2
Microsoft Windows 2000 Server SP2
Microsoft Windows NT 4.0 SP6a
Issue
KRA Administration Server continues to reload when KRA services are restarted
The following entries may show up in the <KRA-install-dir>\WebServer\logs\admin-cipher.log file:
[<date/time> <id>] [info] Init: Loading certificate & private key of SSL-aware server <host-name>:<admin-port>
[<date/time> <id>] [info] Init: Configuring server <host-name>:<admin-port> for SSL protocol
[<date/time> <id>] [warn] Init: Ops, you want to request client authentication, but no CAs are known for verification!? [Hint: SSLCACertificate*]
KRA server certificates were expired, and replaced the server certificates with newly reissued certificates (followed procedures described in the KRA and KCA Administrator's Guide). The KRA services start, but get the following error when attempt to go to the KRA Admin interface on the browser:
Program Error
!LDAP Search(): [XrcLDAPUNABLE] unspecified failure in LDAP operation.
Cause
Resolution
---------------------------------------------------------------
On KCA (where the target CA for the KRA is hosted):
---------------------------------------------------------------
1. Stop KCA services and make a full backup of the KCA installation
2. On the command prompt, go to <KCA-install-dir>\Xudad\db directory, and run the following command:
C:\<KCA-install-dir>\Xudad\db\>..\bin\ldbmcat -n id2entry.dbh > kcadb.ldif
This will generate a text file "kcadb.ldif" that will contain the complete KCA database
3. Start KCA services
4. Open the file "kcadb.ldif" using a text editor and locate the xuda_certificate objects in kcadb.ldif corresponding to the new KRA server certs (by looking up the MD5's). Then, copy those to a temporary text file, say, "certs-to-add.txt".
5. Copy this temp file ("certs-to-add.txt" created in step 4 above) to the KRA box
-----------
On KRA:
-----------
6. Stop KRA services and make a full backup of the KRA installation
7. If the old KRA server certs have not yet expired, start KRA services and modify the LDAP rules as follows:
a. Make a note of the MD5/Certificate ID of all the re-issued KRA server certificates, especially for the new admin.cert (KRA Administration Client certificate), enroll.cert (KRA Enrollment Client certificate), and scep.cert (KRA SCEP Client certificate).
b. Go to the "System Configuration" workbench, and click on "LDAP rules"
c. By default, the LDAP rules only contain md5s of admin.cert, enroll.cert, and scep.cert. Add new line(s) in each of the LDAP rule to allow appropriate access to the new KRA server certificates. DO NOT REMOVE any existing line, only add new lines. Each new line may look like:
by dn="md5=xxxxxxxxxxxxxxxxxxxxxxxxxxx" write
d. Save the updated LDAP rules by clicking the "Save ACL rules to database" button
8. If the old KRA server certs have already expired, KRA may not start. In this case, temporarily set the system clock back appropriately so the expired certs become valid for that machine. Note that the KRA services will start, but you may not be able to access the KRA Admin interface.
If the LDAP rules still cannot be accessed through the KRA Admin interface, follow these steps:
a. Go to the url, http://<KRA-host-name>:<admin-port>/ra/admin/listuclass.xuda
b. Click on "List" link for objectclass "umichACL"
c. Click on "Edit" button for the object "entry=uofmacl,o=acl"
d. Copy the text from the attribute "ACLTEXT". Note that only one line appears on the browser for this attribute, but in fact the value is a complete listing of the LDAP rules which you can view by scrolling down in the edit box. Make sure that you copy the entire LDAP rules.
e. Paste the LDAP rules in a text editor and modify the rules according to the procedure listed in Step #7 above
f. After modifying the rules, copy them back to the text edit box against "ACLTEXT" attribute
g. Save the rules by clicking on the "REPLACE Object" button
Now reset the system clock to the current date/time and stop KRA services
9. On the command prompt, go to <KRA-install-dir>\Xudad\db directory, and run the following command:
C:\<KRA-install-dir>\Xudad\db\>rsakeon_reindex.bat ..\bin kradb
This will generate a text file "kradb.ldif" and will wait for you to press any key after the following message:
"Okay, that worked.........."
DO NOT press any keys at this point. Some changes need to be made to the kradb.ldif file before continuing with the above script.
10. Add the contents of "certs-to-add.txt" (created in step 4 above) to kradb.ldif file
11. Now go back to the script rsakeon_reindex that's still in the prompt mode and press any key to continue
12. Replace the old KRA server certs with the newly reissued certs
13. Start KRA services
NOTE: While correcting/updating LDAP ACL rules, the correct MD5's need to be obtained. One way to find the correct MD5's is to use serial numbers of the admin.cert and enroll.cert by viewing through MSIE (you would have to rename the cert files with extension "crt" or "cer" for the Microsoft Certificate Manager to recognize them as digital certificates and automatically open the certificate details in a window). Then, find out the correct certs through KCA admin interface (Administrator Operations -> Installation -> cert-active) by matching those serial numbers.
Workaround
Followed the procedure to reissue KRA server certificates documented in the following guides:
KRA 6.0.2 Administrators's Guide, page 185
KCA 6.0.2 Administrator's Guide, page 374
Related Articles
Rename an end entity certificate so reissued certificate name is not appended with -1 Number of Views [unspecified failure in LDAP operation] error when trying to re-sign expired system certificates Number of Views When accessing the enrollment page or admin console on RCM/RRM get certificate error on browser if certificate name does … Number of Views How to re-use unassigned tokens via the 'Replace Tokens...' function on Authentication Manager 6.x Number of Views MSIE cannot link to revoke or re-issue from the enrollment server Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
