Unable to use Administrators Client SSL Certificate
3 years ago
Originally Published: 2003-02-07
Article Number
000055498
Applies To
Keon Certificate Authority 6.0
Keon Registration Authority 6.0
Microsoft Internet Explorer
Issue
Unable to use Administrators Client SSL Certificate
Error: "The page cannot be displayed" in Web browser when accessing a secured page (client authenticated)
Error: "inst-forms/apply-acl.xuda page cannot be found" appears during Keon Registration Authority installation
If the CA certificate is installed in the IE browser and the client SSL certificate is examined, browser will display: "non valid digital signature"
Client certificate cannot be used for Client Side SSL
Cause
If the original CA certificate did not include the Authority Key Identifier (AKI) and Subject Key Identifier (SKI) extensions, and the CA certificate is re-signed WITHOUT applying new certificate extensions (especially the AKI and SKI extensions), then the new CA will be created without AKI and SKI extensions. If the Jurisdiction Extension Profile requires certificates to have AKI and SKI, the client certificates (including KRA Administrator SSL Certificates) are created with AKI and SKI extensions, and will not chain correctly to the CA and will not be valid for SSL authentication.
Resolution
To correct this issue, temporarily disable the Jurisdiction Profile Enforcement on the CA, then re-sign the CA certificate with AKI and SKI extensions. For more details on the usage of AKI and SKI extensions, see RFC 3280.

For more information, see the solutions titled Error: 'The resign CA is not allowed to Name change' when trying to resign external CA and KRA installation fails shortly after SSL certificate retrieval and port configuration.
Workaround
The CA Certificate has been re-signed without applying new certificate extensions
Changes have been made to the Jurisdiction for the CA, specifically "Enforce Profile Definition" on "Extension Profiles"

Related Articles

Trending Articles

Don't see what you're looking for?