No Private Key Exists for This Identity [ManagerSigner]

Document ID : KB000030360
Last Modified Date : 14/02/2018
Show Technical Document Details


The following errors are listed in the Engine logs:

130415-05:54:22.4856598L|009728|00002444|SystemEngi|cbbcstor |cbbcstor |000000|ERROR | CCertStore::RetrieveCertificate: cert not found
130415-05:54:22.4856997L|009728|00002444|SystemEngi|OpenIdentityByNa|OpenIdentityByName_I|000000|ERROR | No private key exists for this identity [ManagerSigner]. Possible accidental import of DER file rather than PKCS#12?
130415-05:54:22.4857238L|009728|00002444|SystemEngi|intellisig_cert | |000000|ERROR | IntellisigCert::init: Failed to OpenIdentityByName
130415-05:54:22.4857646L|009728|00002444|SystemEngi|amLog | |000000|ERROR | ValidateIntellisigFiles Failed to init cmExportis interface



  • CA-Client Automation 12.8, 12.9



  • The most likely cause of the error could be due to an upgrade from version 12.5 to 12.8, where the Intellisigs certificate could not be created/copied.


  • During the creation and implementation of custom certificates, the Intellisigs for some reason might have been missed.



To resolve the issue, import the Intellisigs (ManagerSigner) certificate.


Default Intellisigs certificate

To import the default intellisigs certificate do the following:

1. Using the command prompt browse to the "C:\Program Files\CA\DSM\bin" folder.

2. Run the following command:


cacertutil import -i:itrm_dsm_mngrsgn.p12 -ip:enc:xnbbDy2RInzgFQFp1SW5XTBk6tDlegTsouvmottLOLE8lVaQ448J0A -t:ManagerSigner


Custom Intellisigs certificate

If you are using custom certificates in your environment, create a custom managersigner certificate and import it.

1. Create the custom Intellisigs certificate

cacertutil create -o:itrm_dsm_mngrsgn.p12 -od:itrm_dsm_mngrsgn.der -op:password -oe "-s:cn=manager signer,
o=<Organization name> ,c=<Country>" -d:<number of days> -i:itrm_dsm_r11_root.p12 -ip:rootpassword 
  • -o              Specifies the output file name for the PKCS#12 packaged certificate.
  • -od            Specifies the output file name for the DER encoded certificate.
  • -op            Specifies the pass-phrase to protect the PKCS#12 output certificate.
  • -s              Specifies the DN to whom the certificate should be issued.
  • -i               Specifies the file name of the root PKCS#12 certificate.
  • -ip             Specifies the pass-phrase protecting the root PKCS#12 certificate.
  • -d              Specifies the lifetime of the certificate in days (the example shows 2 years (= 730 days)).

Example: cacertutil create -o:itrm_dsm_mngrsgn.p12 -od:itrm_dsm_mngrsgn.der -op:password -oe "-s:cn=manager signer,o=CA Technologies,c=US" -d:730 -i:itrm_dsm_r11_root.p12 -ip:rootpassword

where itrm_dsm_r11_root.p12 = DSM root certificate

2. Import the custom Intellisigs certificate

cacertutil import -i:itrm_dsm_mngrsgn.cer -ip:<passphrase> -t:ManagerSigner


***Note: The Intellisigs certificate needs to be installed on all ITCM components for you to be able to use Intellisigs for Software Inventory detection.