Could not get certificate from trusted key database
Article ID: 102715
CA Single Sign On Secure Proxy Server (SiteMinder)AXIOMATICS POLICY SERVERCA Single Sign On SOA Security Manager (SiteMinder)CA Single Sign-On
Our Federation Partnerships are failing with a 500 error, with the following error in the smtracedefault.log:
"Could not get certificate from trusted key database":
However, the certificate is present and valid.
Special characters in the Certificates can cause problems by introducing escape characters into the FED certs, causing it to become mismatched with the CDS certs. For example:
The Certificate OU is listed as follows: CN=Certificate,OU="(c) 2012 Company, Inc. - for authorized use only", OU=See www.company.com/legal-terms, O="Company, Inc."
With the special characters proceeded with backslashes, it would read as such: CN=Certificate,OU=\"\(c\) 2012 Company, Inc. - for authorized use only\", OU=See www.company.com\/legal-terms, O=\"Company, Inc.\"
Because of the mismatch, it would not be able to match a valid certificate, and throw a 500 error.
Applies to all environments 12.52 SP1 CR5 or lower, and 12.7 SP1 and lower.
This was fixed in 12.52 SP1 CR6, and 12.7 SP2 by introducing code which uses the CDS Certs version of the Certificate if it is unable to find a match in the FED Certs section.
A workaround is to use XPSExplorer to edit the FED Certs to match the CDS Certs:
1. Disable the partnership which is using this 2. Check the "Disable Signature Processing" checkbox. 3. Save the partnership. 4. Launch XPSExplorer, navigate to the CDS Certs section (should be option 3), select the appropriate certificate, and copy the Issuer DN exactly (you do not need the leading and trailing quotation marks ["]). 5. Navigate to the Fed Certs (should be option 27), select the appropriate certificate, modify its IssuerDN, and paste the copied Issuer DN in. 6. Save, and quit out. 7. Modify the partnership, and uncheck the "Disable Signature Processing" box. 8. Re-Enable the Partnership.