KCA gives invalid signature when approving certificate request
Originally Published: 2003-06-05
Article Number
Applies To
Microsoft Windows 2000 Server SP3
Certificate enrollment with a PKCS#10
Issue
Request does not give error on older versions of KCA
Cause
Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }}
The "Attributes" field is not marked as OPTIONAL, so it must be present. However, a "SET OF" can include zero or more elements. So, a properly constructed Certificate Request with no attributes will include the encoded SET OF with a zero length for the contents.
Historically, some PKI products (including earlier versions of the Keon Certificate Authority) have misinterpreted the standard and omitted the "Attributes" field when no attributes were present. This causes interoperability issues, and the issues have been fixed in later versions of KCA.
When attempting to import into KCA a PKCS#10 Certificate Request that omits the "Attributes" field, an error will be returned.
Resolution
Workaround
KCA 6.5 validates certificate request where older versions did not
Related Articles
Approvals using PublicData_ form variables auto-approve by System in RSA Identity Governance & Lifecycle Number of Views Approval activity throws a Request Could Not Be Handled error in RSA Identity Governance & Lifecycle Number of Views Approve and Reject User Requests Number of Views How approval activity behaves when change request items are grouped by category in RSA Identity Governance & Lifecycle Number of Views Error message received when approving KCA installation certificate request Number of Views
Trending Articles
Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Governance & Lifecycle 8.0.0 Administrators Guide RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
