Only get 1 certificate template to enroll successfully using AEP even though there 3 custom V2 templates.

2 years ago

Originally Published: 2011-06-28

Article Number

000045197

Applies To

RSA Certificate Manager (RCM)
RSA Certificate Manager RCM 6.8

Auto Enrollment Proxy (AEP)

Issue

Only get 1 certificate template to enroll successfully using AEP, even though there 3 custom V2 templates.

Turning on full debug in AEP and enabling audit logging in RCM gave the following errors:

AEP: thread=dd4 errorReason checking: error value = CA not available in the database.

RCM 6.8 build 520:

<![CDATA[Receive a certificate request failed:certificate presented: md5=f2e7b896544f0c931cd8a6ae5638d504; Request ID:C0A8390B0000027C000000010000002F; Request Status:Refused; Refuse Reason:invalid signature]]>

<![CDATA[Certificate signing: failed; [XrcDECODINGFAILURE: unable to complete decoding operation]; certificate presented: md5=ea158beaccdd55d2de552ce2e7b9b156]]></LOG_DATA>

Cause

The root cause of this issue was that the instructions in the Windows PKI admin guide don?t give complete instructions for modifying the aep.xuda file.

If you want to add multiple templates to aep.xuda, you need to add them using the ?!elseif? clause. If you have multiple ?!if? clauses in the aep.xuda file, only the first ?!if? clause will be honored and the other ?!if? clause templates will not be loaded.

Resolution

If you want to add multiple templates to aep.xuda, you need to add them using the ?!elseif? clause. If you have multiple ?!if? clauses in the aep.xuda file, only the first ?!if? clause will be honored and the other ?!if? clause templates will not be loaded.

Here?s an example snippet aep.xuda file that is showing the correctly configured templates. The new templates added are ?JDT Users?, ?JDT Sign?, and ?JDT Admin?.

!if RESULT="XrcOK"

[@domainid=['2fad530e3e696a7fe9caca7bac7aa95d0b328507']]

[@ca=[xuda_ca.MD5]]

[@PRO='No Extensions']

[@customSAN="0"]

[@useAD='1']

!if profileId="DEFINED"

[@pkcs10input=[cert_request]]

!if profileId="Machine"

[@PRO='No Extensions']

!elseif profileId="DomainController"

[@PRO='No Extensions']

!elseif profileId="User"

[@PRO='No Extensions']

!endif

!else

[@mypem="manohar"]

[@myoid="1.2"]

!parsecmc([cert_request],mypem,myoid,spk)

!if myoid="1.3.6.1.4.1.311.21.8.6368879.10874727.7947197.688262.4259192.242.730488.5998425"

[@PRO='1']

[@domainid='2fad530e3e696a7fe9caca7bac7aa95d0b328507']

!elseif myoid="1.3.6.1.4.1.311.21.8.6368879.10874727.7947197.688262.4259192.242.13972722.9132665"

[@PRO='1']

[@domainid='2fad530e3e696a7fe9caca7bac7aa95d0b328507']

!elseif myoid="1.3.6.1.4.1.311.21.8.6368879.10874727.7947197.688262.4259192.242.5106110.3800228"

[@PRO='1']

[@domainid='2fad530e3e696a7fe9caca7bac7aa95d0b328507']

!elseif myoid="1.3.6.1.4.1.311.21.8.1405048.9933100.9061002.5889418.1005204.123.6251361.11524077"

[@PRO='No Extensions']

[@domainid='f2d1d48d45390fb976447da98d787de8046c1d26']

!elseif myoid="1.3.6.1.4.1.311.21.8.1405048.9933100.9061002.5889418.1005204.123.1.30"

[@domainid='b9a2048bed81c05c132260177e294b3f47f565fa']

[@PRO='1']

!elseif myoid="1.3.6.1.4.1.311.21.8.1405048.9933100.9061002.5889418.1005204.123.1.29"

[@domainid='b9a2048bed81c05c132260177e294b3f47f565fa']

[@PRO='No Extensions']

!elseif myoid="1.3.6.1.4.1.311.21.8.1405048.9933100.9061002.5889418.1005204.123.1.28"

[@domainid='b9a2048bed81c05c132260177e294b3f47f565fa']

[@PRO='No Extensions']

!elseif myoid="1.3.6.1.4.1.311.21.8.1405048.9933100.9061002.5889418.1005204.123.1.26"

[@PRO='No Extensions']

!elseif myoid="1.3.6.1.4.1.311.21.8.1405048.9933100.9061002.5889418.1005204.123.1.27"

[@PRO='No Extensions']

!endif

[@pkcs10input=[mypem]]

!endif

Notes

CERTMGR-3911

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles