SSO top-level profile exception: , com.rsa.fim.profile.sso.SSOProfileException: Error signing assertion: util.crypto.dsig.error.sign: null

Caused by: com.rsa.fim.exception.CryptoUtilException: util.crypto.dsig.error.sign: null at com.rsa.fim.util.crypto.DSigHelper.sign(DSigHelper.java:124)

When replacing the certificate for an existing private key, the existing certificate will be overwritten with the new certificate by keytool. This is true for either a self signed certificate or for a certificate that has been signed by a CA.

To list the certificates enter the command "keytool -list -v -keystore mykeystore.jks"

If you have the private key in the keystore it will report back "Entry type: keyEntry" whereas if the private key is not present it will say "Entry type: trustedCertEntry"

The match up of certificate to private key is performed if the alias is the same, so before importing the certificate response from the CA make sure the alais value is correct.

To import the certificate reply from the CA with the signed certificate run "keytool -import -alias mykey -trustcacerts -file myjks.cer -keystore mykeystore.jks"

If the alias is matched to the private key during the import you will see this message: "Certificate reply was installed in keystore"