No Private Key Exists for This Identity [ManagerSigner]

Document ID : KB000030360
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue:

The following errors are listed in the Engine logs:

130415-05:54:22.4856598L|009728|00002444|SystemEngi|cbbcstor |cbbcstor |000000|ERROR | CCertStore::RetrieveCertificate: cert not found
130415-05:54:22.4856997L|009728|00002444|SystemEngi|OpenIdentityByNa|OpenIdentityByName_I|000000|ERROR | No private key exists for this identity [ManagerSigner]. Possible accidental import of DER file rather than PKCS#12?
130415-05:54:22.4857238L|009728|00002444|SystemEngi|intellisig_cert | |000000|ERROR | IntellisigCert::init: Failed to OpenIdentityByName
130415-05:54:22.4857646L|009728|00002444|SystemEngi|amLog | |000000|ERROR | ValidateIntellisigFiles Failed to init cmExportis interface

 

Environment:

  • CA-Client Automation 12.8, 12.9

 

Cause:

  • The most likely cause of the error could be due to an upgrade from version 12.5 to 12.8, where the Intellisigs certificate could not be created/copied.

        (OR)

  • During the creation and implementation of custom certificates, the Intellisigs for some reason might have been missed.

 

Resolution:

To resolve the issue, import the Intellisigs (ManagerSigner) certificate.

 

Default Intellisigs certificate

To import the default intellisigs certificate do the following:

1. Using the command prompt browse to the "C:\Program Files\CA\DSM\bin" folder.

2. Run the following command:

 

cacertutil import -i:itrm_dsm_mngrsgn.p12 -ip:enc:xnbbDy2RInzgFQFp1SW5XTBk6tDlegTsouvmottLOLE8lVaQ448J0A -t:ManagerSigner

 

Custom Intellisigs certificate

If you are using custom certificates in your environment, create a custom managersigner certificate and import it.

1. Create the custom Intellisigs certificate

cacertutil create -o:itrm_dsm_mngrsgn.p12 -od:itrm_dsm_mngrsgn.der -op:password -oe "-s:cn=manager signer,
o=<Organization name> ,c=<Country>" -d:<number of days> -i:itrm_dsm_r11_root.p12 -ip:rootpassword 
  • -o              Specifies the output file name for the PKCS#12 packaged certificate.
  • -od            Specifies the output file name for the DER encoded certificate.
  • -op            Specifies the pass-phrase to protect the PKCS#12 output certificate.
  • -s              Specifies the DN to whom the certificate should be issued.
  • -i               Specifies the file name of the root PKCS#12 certificate.
  • -ip             Specifies the pass-phrase protecting the root PKCS#12 certificate.
  • -d              Specifies the lifetime of the certificate in days (the example shows 2 years (= 730 days)).

Example: cacertutil create -o:itrm_dsm_mngrsgn.p12 -od:itrm_dsm_mngrsgn.der -op:password -oe "-s:cn=manager signer,o=CA Technologies,c=US" -d:730 -i:itrm_dsm_r11_root.p12 -ip:rootpassword

where itrm_dsm_r11_root.p12 = DSM root certificate

2. Import the custom Intellisigs certificate

cacertutil import -i:itrm_dsm_mngrsgn.cer -ip:<passphrase> -t:ManagerSigner

 

***Note: The Intellisigs certificate needs to be installed on all ITCM components for you to be able to use Intellisigs for Software Inventory detection.