KCA gives invalid signature when approving certificate request
Originally Published: 2003-06-05
Article Number
Applies To
Microsoft Windows 2000 Server SP3
Certificate enrollment with a PKCS#10
Issue
Request does not give error on older versions of KCA
Cause
Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }}
The "Attributes" field is not marked as OPTIONAL, so it must be present. However, a "SET OF" can include zero or more elements. So, a properly constructed Certificate Request with no attributes will include the encoded SET OF with a zero length for the contents.
Historically, some PKI products (including earlier versions of the Keon Certificate Authority) have misinterpreted the standard and omitted the "Attributes" field when no attributes were present. This causes interoperability issues, and the issues have been fixed in later versions of KCA.
When attempting to import into KCA a PKCS#10 Certificate Request that omits the "Attributes" field, an error will be returned.
Resolution
Workaround
KCA 6.5 validates certificate request where older versions did not
Related Articles
Approvals using PublicData_ form variables auto-approve by System in RSA Identity Governance & Lifecycle Number of Views RSA Governance & Lifecycle Recipes: Chart - Review Results - Reviewer Entitlement Types Number of Views RSA Governance & Lifecycle Recipes: Chart - Review Results - Reviewer Coverage Number of Views New Feature: Log Artifact in RSA Governance and Lifecycle Number of Views Approve and Reject User Requests Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory Mandatory Certificate Upgrade Required by 6th October 2025 for RSA MFA Agent for PAM, RSA MFA Agent for Apache, and Third … RSA Authentication Manager 8.9 Release Notes (January 2026)
Don't see what you're looking for?
