ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Could not get certificate from trusted key database

book

Article ID: 102715

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Our Federation Partnerships are failing with a 500 error, with the following error in the smtracedefault.log:

"Could not get certificate from trusted key database":

However, the certificate is present and valid.

Cause

Special characters in the Certificates can cause problems by introducing escape characters into the FED certs, causing it to become mismatched with the CDS certs. For example:

The Certificate OU is listed as follows:
CN=Certificate,OU="(c) 2012 Company, Inc. - for authorized use only", OU=See www.company.com/legal-terms, O="Company, Inc."

With the special characters proceeded with backslashes, it would read as such:
CN=Certificate,OU=\"\(c\) 2012 Company, Inc. - for authorized use only\", OU=See www.company.com\/legal-terms, O=\"Company, Inc.\"

Because of the mismatch, it would not be able to match a valid certificate, and throw a 500 error.

Environment

Applies to all environments 12.52 SP1 CR5 or lower, and 12.7 SP1 and lower.

Resolution

This was fixed in 12.52 SP1 CR6, and 12.7 SP2 by introducing code which uses the CDS Certs version of the Certificate if it is unable to find a match in the FED Certs section.

A workaround is to use XPSExplorer to edit theĀ FED Certs to match the CDS Certs:

1. Disable the partnership which is using this
2. Check the "Disable Signature Processing" checkbox.
3. Save the partnership.
4. Launch XPSExplorer, navigate to the CDS Certs section (should be option 3), select the appropriate certificate, and copy the Issuer DN exactly (you do not need the leading and trailing quotation marks ["]).
5. Navigate to the Fed Certs (should be option 27), select the appropriate certificate, modify its IssuerDN, and paste the copied Issuer DN in.
6. Save, and quit out.
7. Modify the partnership, and uncheck the "Disable Signature Processing" box.
8. Re-Enable the Partnership.