Exception thrown while exporting metadata using smfedexport from Policy Server.

Document ID : KB000051508
Last Modified Date : 14/02/2018
Show Technical Document Details


Customer obtained an exception while executing the smfedexport command.

Command executed:
smfedexport -type saml2idp -expiredays 0 -username ***** -password **** -sign -pubkey

Exception occurred:
An exception occurred while signing metadata document.com.netegrity.SAML2Security.DSigException:
Caught an Exception calling signXMLDocument using IXMLSignature. nulljava.lang.NullPointerException
at com.netegrity.smkeydatabase.api.XMLDocumentOpsImpl.signXMLDocument(XMLDocumentOpsImpl.java:1016)
at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(DSigSigner.java:254)
at com.ca.SAML2METADATA.utils.SMFedUtilities.signMetadata(SMFedUtilities.java:166)
at com.ca.smfedexport.tool.IDPMetadataProcessor.generateIdpDescriptor(IDPMetadata Processor.java:209)
at com.ca.smfedexport.tool.SMFedExport.main(SMFedExport.java:108)

There is no exception if they execute the command without the -sign parameter.

Upon reviewing the list of certificates under SmKeyDatabase, the "defaultenterpriseprivatekey" entry is associate with type
"CertificateEntry" instead of "KeyEntry".


  1. Delete the existing "defaultenterpriseprivatekey" from the Smkeydatabase.

  2. Then convert the private key from PEM(text) file to DER(binary) format with following command:

    openssl pkcs8 -topk8 -inform PEM -outform DER -in <PEM private key file> -out <DER private key file>

  3. Ensure that the public certificate file is in PEM(text) and is BASE64 encoded.

  4. Add the private key pair with the following sample command:

    smkeytool.bat -addPrivKey -alias defaultenterpriseprivatekey -keyfile "c:\program files\netegrity\siteminder\certs\post-pkey.der" -certfile "c:\program
    files\netegrity\siteminder\certs\post-cert.crt" -password password

    The first part of this command is the location of the private key in DER format at the Identity Provider. For this deployment, that is post-pkey.der.
    The second part of the command is the location of the public key certificate, which is post-cert.crt followed by the password associated with
    the private key, which is password.