AEP Proxy Windows Event Viewer App log: submitRequestToCA returned 8c020009
Originally Published: 2010-06-10
Article Number
Applies To
RSA Certificate Manager (RCM)
Auto Enrollment Proxy (AEP)
Issue
RCM Windows Event Viewer App log: WsalWriteClient() failed with return code = [105]
Windows Enrollment Client Pop=up error: The certificate request failed: Unspecified error
Xudad trace.log entry: signing XXXX signerSignCertificate.c:1585 Return code = XrcCONVERSIONFAILURE (68)
Cause
CAUSE #2: Extension profiles are configured in a manner that manual user input is required. AEP is designed to function such that all information that it needs to sign a certificate request is supplied either in the request itself or is specified in the Extension Profile settings. If an Extension profile is configured such that some user input is required, RCM will be unable to issue the certificate automatically via AEP.
An example of a misconfigured extension profile (here, cRLDistPoints), is set to default to 3 cRLDP values. However, only 1 value is actually set. Therefore, some user input is required to either supply the other 2 values or to change the extension so that only 1 cRLDP is included.
{
name : 'CRL Distribution Points',
type : 'mandatory',
autogenerate : false,
critical : {
def : false,
editable : false,
visible : true,
type : 'mandatory'
},
cRLDistPointsSyntax : {
def : 3,
min : 1,
max : 10,
visible : true,
editable : true,
type : 'mandatory',
elements : [
{
editable : true,
visible : true,
type : 'optional',
distributionPoint : {
def : 'fullName',
editable : true,
visible : true,
type : 'mandatory',
value : {
min : 1,
max : 10,
def : 1,
editable : true,
visible : true,
elements : [
{
def : 'uRI',
editable : true,
visible : true,
type : 'mandatory',
value : {
def : 'http://profileenforceworks',
editable : true,
visible : true,
type : 'mandatory',
validator : 'extCheckGenName(this)'
}
}
]
}
}
}
]
}
}
A good way to test this is to manually issue a certificate request that has been submitted via AEP. If the manual process requires you to enter some input (the wizard will not let you continue without supplying a parameter), then the request cannot be automatically vetted and signed.
Resolution
If the Jurisdiction has Email Notification enabled and there are any errors with SMTP, then these error and behavior will occur. The client machine will get the unspecified error when certificate enrollment is attempted via the MMC Certificates plugin yet the certificate will be created by RCM.
This behavior is caused by the AEP proxy not knowing what to do with the SMTP error information and ending it?s client session before download is complete. Email notification is NOT needed for an AEP enabled Jurisdiction. Because of the automatic generation and immediate download of certs, email notification to the subscriber or vettor is NOT needed. As a matter of best practice, AEP should use dedicated Jurisdiction(s) which are typically NOT used for manual enrollment.
This issue is avoidable if a dedicated Jurisdiction for AEP is created that has email disabled.
SOLUTION for CAUSE #2:
Update any extension profiles that are required for your AEP issued certificates to ensure that valid values are supplied in the extension profile definition. Verify that requests can be processed manually without requiring additional user input.
Related Articles
RSA MFA Agent for Microsoft Windows Log Events Number of Views User Event Monitor Messages for Cloud Access Service (02 - 345) Number of Views Release Notes Archive - Cloud Authentication Service and Authenticators (August 2024 - January 2024) Number of Views Cloud Administration Event Log API Number of Views Methods to monitor the RSA ID Plus Cloud Authentication Service and Identity Routers Number of Views
Trending Articles
RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory Unable to find valid certification path error when logging on to Help Desk Admin Portal (HDAP) and Self-Service Portal (SS… RSA Authentication Manager 8.9 Release Notes (January 2026)
Don't see what you're looking for?
