Troubleshooting Certificate Manager clients
This article describes some error situations that can occur in the Certificate Manager (CM) clients used in Smart ID Certificate Manager.Â
When an error occurs in various CM clients this is indicated by <CM client> which is then replaced by RA, CC and SP when applicable to a specific CM client.
General error situations
Certificate request was not accepted
When the CM server is set into maintenance mode it will not accept any certificate requests. Certificate revocation tasks can, however, still be performed.
Wait for the CM server to come back into normal operation and repeat the prevented task(s).
The <CM client> does not connect to the CM host
Use Nexus Personal to check that at least one officer ID is accessible. (For example, try to change the PIN code of the ID.)
Make sure that the CM host can be reached by name from the client. Use the ping command in a command prompt window to verify this.
Type
ping <host name>
You will get regular replies from the host if it is active and if the connection works.
The <CM client> takes several minutes connecting to the CM host
This is most likely a name-to-IP-address resolution problem.
Check your DNS or use the IP-address of the CM host in the Connect to CM dialog.
The Submit button is not available
The request to Certificate Manager is not ready for submission. This happens if mandatory data or a signature is missing. The reason is displayed on the status bar in the application window.
No device indicator shown in the smart card tab
No personalization device has yet been selected.
Click Devices… and make your choice.
Only applicable to RA.
The 'Procedures' text box is empty
No procedures of the type corresponding to the selected tab (Smart Card/Soft Token/Certificate) below the selection box have yet been defined in CM.
OR
No procedure exists that fits your officer constraints.
Define a procedure using the Administrator's Workbench AWB.
Only applicable to RA.
Data contained in a request file is not displayed
This may be an issue with the pure certificate issuing capability of the RA, accessible under the Certificates tab. Although the request may contain more fields, only the ones corresponding to the fields in the RA will be accessible to the registration officer unless Auto add data fields in the Fields Chooser has been selected. See Select fields in Registration Authority in Certificate Manager.
Fields that are not shown on the screen will not be included in the certificate.
Nothing happens when I click in an application window
This may occur when there are multiple CM clients active simultaneously and there is a waiting message or an open dialog box in one window and you try to click buttons or commands in another window.
Respond to the message or close the dialog box before you try to perform commands in the other CM client.
Could not connect to <server>
This error may occur if Certificate Factory (CF) is started while MSSQLSERVER is not running and a connection request appears.
Start MSSQLSERVER and restart CF.
Unknown host: <xyz>
This is shown when a misspelled or non-existing host is typed in the Connect to CM dialog.
Check that the server is up and running
This is shown after the Connect to CM dialog when the Certificate Factory (CF) is not running on the selected host.
Access denied. Check that your officer constraints permit the submitted operation
This is shown when the officer constraints do not permit an operation. For example, if an officer is only allowed to revoke certificates, this message will be shown when the officer attempts to issue a certificate.
Check that your officer constraints permits revocation
This is shown when the officer constraints do not permit an operation. For example, if an officer is only allowed to create certificates, this message will be shown when the officer tries to revoke a certificate.
Input media not ready
The request file is not found.
Make sure that the path and file name in Request File leads to an existing .p10 file.
Error situations related to transport certificates
CA certificate for <subject-dn> with issuer <issuer-dn> not found
Reason 1: This error message is an ALERT. A smart card with an invalid transport certificate has been detected.
Action 1: Contact IT Security Manager for further investigation.
Reason 2: The transport certificate configuration could be incorrect.
Action 2: Check the configuration, see Initial configuration of Certificate Manager
CA certificate has expired: <issuer-dn>
Reason: The CA certificate that signed the transport certificate has expired.
Action: All transport certificates signed by this CA are invalid. The following alternatives are available:
All pre-personalized smart cards are invalid and should be destroyed.
Issue a new CA certificate based on the same data.
Turn off the expiration check in the transport certificate modifier module (not recommended).
CA certificate not valid: <issuer-dn>
Reason 1: The clock setting in CM could be wrong.
Action 1: Check the clock and make necessary corrections if required.
Reason 2: The CA certificate has a start date which has not yet occurred and it is therefore not valid.
Action 2: The issuing of certificates must wait. The start date is still in the future.
Transport certificate has expired
Reason: The transport certificate has expired.
Action: The following alternatives are available:
All cards are invalid and should be destroyed.
Turn off the expiration check in the transport certificate modifier module (not recommended).
Certificate signature invalid. Serial Nr <number> Subject <subject-dn> Issuer <issuer-dn>
Reason: This error message is an ALERT.
Action: Contact IT Security Manager for further investigation.
Error when verifying signature. Serial Nr <number> Subject <subject-dn> Issuer <issuer-dn>
Reason: This error message is an ALERT.
Action: Contact IT Security Manager for further investigation.
Additional information
Â
Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions