How to generate personality certificates for CA Directory Management UI DSA
Article ID: 143127
Updated On:
Products
Issue/Introduction
Login into CA Directory Management UI fails and the following errors can be found in the Management UI DSA warn log:
[3] 20200114.215504.030 WARN : Certificate 'config/ssld/personalities/xxxxxxxxxxx-management-ui.pem' is outside of validity date range
[3] 20200114.215504.030 WARN : Unable to get certificate from 'config/ssld/personalities/xxxxxxxxxxx-management-ui.pem'
[3] 20200114.215504.030 WARN : set_cert_stuff failed
[3] 20200114.215504.030 WARN : Cannot get personality
[3] 20200114.215504.030 WARN : Cannot create an SSL context
Environment
Release: 14.1
Component: CA Directory
Cause
The personality certificate of the Management UI DSA expired.
The expiry date can be seen in the certificates report, use this command:
dxcertgen report
Resolution
- To generate a new certificate for your Management UI DSA please issue the following command. On Linux use the 'dsa' user.
dxcertgen -i "CN=GenCA,O=MgmtUI,C=AU" -D "xxxxxxxxxxx-management-ui" certs
- Restart the xxxxxxxxxxx-management-ui DSA after that.
- Restart Management UI node.js server
- Restart SCIM server
It is also possible that monitoring DSA certificate needs to be re-generated because personality certificates for both management DSAs were likely generated at the same time. The command is similar:
dxcertgen -i "CN=GenCA,O=MonitorMgmtUI,C=AU" -D "xxxxxxxxxxx-monitoring-management-ui" certs
Please notice that we should specify different issuer in both dxcertgen commands above. If we failed to do that, Management UI won't be able to connect the Management UI DSA and apps.log shows "certificate signature failure" error. This is because the second dxcertgen execution has overwritten the CA root certificate, which was created at the 1st dxcertgen execution, in trusted.pem. This will make the Management UI DSA certificate orphan (invalid) as it doesn't have the original CA root certificate anymore.
Feedback
