Differences in IssuerDN when importing a certificate through smkeytool
Document ID : KB000007399
Last Modified Date : 14/02/2018
 Show Technical Document Details
Issue:

We are importing certificates in R12.52 Policy Stores through CLI, using the command to import the cert in base 64 format:

./smkeytool.sh -addCert -alias "Certname" -infile /tmp/"ceertificate"

And when cert is sucessfully imported in Policy Store, if the cert has special characters like "./" in IssuerDN, then the cert is not added properly and thus SAML SSO fails at signature validation, with the error: "Exception while verifying signature"

We have checked certs using XPSExplorer and we see cert is stored in two places as listed below:
1) CA.CDS::
2) CA.FED::

In both, we see different IssuerDN:

1-CA.CDS::
IssuerDN = "C=US,O=Test\, Inc.,OU=See www.Test.net/legal-terms,OU=(c) 2012 Test\, Inc. - for authorized use only,CN=Test Certification Authority - F2K"

2-CA.FED::Certificate
--------------- Attributes from CA.FED::Certificate ---------------
Alias = "test"
CertificateGUID = CA.CDS::Certificate@000b54ff-ef11-16e5-af06-f8a50b1ca4ee
FIPSApproved = true
IssuerDN = "CN=Test Certification Authority - F2K, OU="(c) 2012 Test, Inc. - for authorized use only", OU=See www.Test.net/legal-terms, O="Test, Inc.", C=US"
Type = <Certificate>
-------------------------------------------------------------------

So when we see how it is stored in CA.FED and in CA.CDS. The only difference is in IssuerDN.

How we can solve this? Are we importing the certificate correctly?
Environment:
Policy Server : R12.52 SP1 CR04
Resolution:

There is an issue fixed in R12.52 SP1 CR06 which solves the functional issue of the certs matching regardless of the display in the UI and/or XPSExplorer. You can have two different IssuerDN formats (but logically the same) and the Federation transaction can pick the right one and continue without any issue.

However, this cannot fix the difference in IssuerDN format, which appears differently when having special characters (quotes, apostrophe, etc) in certificates.

FIX : DE144249 PS failed to locate certificate with escape chars in the Issuer field

As workaround, you can modify the IssuerDN on the CA.FED::Certificate object to match the CA.CDS::Certificate IssuerDN. Alternatively, you can export the certificate in Base64 encoded format, and re-import it, as this will correct the IssuerDN.