Could not get certificate from trusted key database

Document ID : KB000102715
Last Modified Date : 12/07/2018
Show Technical Document Details
Issue:
Our Federation Partnerships are failing with a 500 error, with the following error in the smtracedefault.log:

"Could not get certificate from trusted key database":

However, the certificate is present and valid.
Environment:
Applies to all environments 12.52 SP1 CR5 or lower, and 12.7 SP1 and lower.
Cause:
Special characters in the Certificates can cause problems by introducing escape characters into the FED certs, causing it to become mismatched with the CDS certs. For example:

The Certificate OU is listed as follows:
CN=Certificate,OU="(c) 2012 Company, Inc. - for authorized use only", OU=See www.company.com/legal-terms, O="Company, Inc."

With the special characters proceeded with backslashes, it would read as such:
CN=Certificate,OU=\"\(c\) 2012 Company, Inc. - for authorized use only\", OU=See www.company.com\/legal-terms, O=\"Company, Inc.\"

Because of the mismatch, it would not be able to match a valid certificate, and throw a 500 error.
Resolution:
This was fixed in 12.52 SP1 CR6, and 12.7 SP2 by introducing code which uses the CDS Certs version of the Certificate if it is unable to find a match in the FED Certs section.

A workaround is to use XPSExplorer to edit theĀ FED Certs to match the CDS Certs:

1. Disable the partnership which is using this
2. Check the "Disable Signature Processing" checkbox.
3. Save the partnership.
4. Launch XPSExplorer, navigate to the CDS Certs section (should be option 3), select the appropriate certificate, and copy the Issuer DN exactly (you do not need the leading and trailing quotation marks ["]).
5. Navigate to the Fed Certs (should be option 27), select the appropriate certificate, modify its IssuerDN, and paste the copied Issuer DN in.
6. Save, and quit out.
7. Modify the partnership, and uncheck the "Disable Signature Processing" box.
8. Re-Enable the Partnership.