Policy Server is unable to find the encryption certificate.

Document ID : KB000012593
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

You logon to AdminUI and generated certificate pair for signing or for encryption.

However, Policy Server is not finding the certificate.

In the smtracedefault.log it shows the following error.

[TxmAuthnRequestExtension.java][encryptAssertion][][][][][][][][Error Encrypting Assertion:0 Error in SAML2EncryptDecrypt encrypt - Marshalling Assertion failed. No certificate found in DB for issuerName: CN=encryptionkey,OU=OU,O=O,L=L,ST=ST,C=AU serialNumber: d02716dbec881324459a0461742a3b6b - ]

Question:

Why is the Policy Server unable to find the certificate when the certificate is visible in the AdminUI and using "smkeytool -listcerts" command?

Environment:
R12.6 Policy ServerR12.52SP1CR5 Policy Server
Answer:

There are 2 places in the policy store that references certificates.

 

CA.CDS::Certificate

===============

This is where the actual certificate is stored. It has record of raw certificate information.

If there are any special characters in the IssuerDN, those special characters would be escaped using '\' character.

For example:

Sample IssuerDN is CN=test, 123,O=xyz

It will be escaped as CN=test\, 123,O=xyz

Serial number will be in its original format.

 

CA.FED::Certificate

==============

This is where the federation service would lookup the certificate and has link to the actual certificate in CA.CDS::Certificate.

If there are any special characters in the IssuerDN, the whole string would be wrapped with double quotes.

For example:

Sample IssuerDN is CN=test, 123,O=xyz

It will be wrapped as CN="test, 123",O=xyz

Serial number will be converted to lower case.

 

It is important that the Policy Server will find the matching certificate (matching IssuerDN and SerialNumber value) in the CA.FED::Certificate in order to load the actual certificate from CA.CDS::Certificate.

 

Intermittently when the randomly generated serial number exceeds the expected number range(overflow) then the value that gets stored in the CA.FED::Certificate side is different.

 

 

CA.CDS::Certificate

***************************************************************************** 

Alias Name: badcert1 

Type: CertificateEntry 

Subject: CN=badcert,OU=CA Support,O=CA Technologies,L=Sydney,ST=NSW,C=AU 

Issuer: E=kimsu05@ca.com,CN=KIMCA,OU=CA Support,O=CA Technologies,ST=NSW,C=AU 

Serial Number: 008625C358EB68627C1A535769C61C6DDD 

Valid from: Thu Dec 15 11:50:21 IST 2016 until: Fri Dec 15 11:50:21 IST 2017

Revocation Status: Revocation is not configured. 

 

CA.FED::Certificate

Alias = "badcert1" 

CertificateGUID = CA.CDS::Certificate@0006399b-3b2f-1852-8de9-01017f000000 

FIPSApproved = true 

IssuerDN = "EMAILADDRESS=kimsu05@ca.com, CN=KIMCA, OU=CA Support, O=CA Technologies, ST=NSW, C=AU" 

SerialNumber = "8625c358eb68627c1a535769c61c6ddd

Type = <Certificate> 

------------------------------------------------------------------- 

***************************************************************************** 

 

As a workaround:

1. Try updating the SerialNumber value at the CA.FED::Certificate side to match the one at CA.CDS::Certificate.

2. You can issuer the certificate from external CA(or use external OpenSSL) and import the certificate.

3. You can generate keypair/certificate externally and import the pkcs12.