How to generate personality certificates for CA Directory Management UI DSA

book

Article ID: 143127

calendar_today

Updated On:

Products

CA Directory DIRECTORY

Issue/Introduction

Login into CA Directory Management UI fails and the following errors can be found in the Management UI DSA warn log:

[3] 20200114.215504.030 WARN : Certificate 'config/ssld/personalities/xxxxxxxxxxx-management-ui.pem' is outside of validity date range

[3] 20200114.215504.030 WARN : Unable to get certificate from 'config/ssld/personalities/xxxxxxxxxxx-management-ui.pem'

[3] 20200114.215504.030 WARN : set_cert_stuff failed

[3] 20200114.215504.030 WARN : Cannot get personality

[3] 20200114.215504.030 WARN : Cannot create an SSL context

Cause

The personality certificate of the Management UI DSA expired.

The expiry date can be seen in the certificates report, use this command:

dxcertgen report

Environment

Release: 14.1

Component: CA Directory

Resolution

  • To generate a new certificate for your Management UI DSA please issue the following command. On Linux use the 'dsa' user.

         dxcertgen -i "CN=GenCA,O=MgmtUI,C=AU" -D "xxxxxxxxxxx-management-ui" certs

  • Restart the xxxxxxxxxxx-management-ui DSA after that.
  • Restart Management UI node.js server
  • Restart SCIM server

It is also possible that monitoring DSA certificate needs to be re-generated because personality certificates for both management DSAs were likely generated at the same time. The command is similar:

dxcertgen -i "CN=GenCA,O=MonitorMgmtUI,C=AU" -D "xxxxxxxxxxx-monitoring-management-ui" certs

Please notice that we should specify different issuer in both dxcertgen commands above. If we failed to do that, Management UI won't be able to connect the Management UI DSA and apps.log shows "certificate signature failure" error. This is because the second dxcertgen execution has overwritten the CA root certificate, which was created at the 1st dxcertgen execution, in trusted.pem. This will make the Management UI DSA certificate orphan (invalid) as it doesn't have the original CA root certificate anymore.