CCertStore::RetrieveCertificate: cert not found
Article ID: 17015
Updated On:
Products
Issue/Introduction
In some ITCM logs following error message appears :
cbbcstor |cbbcstor |000000|ERROR | CCertStore::RetrieveCertificate: cert not found
VerifyCertificat|VerifyCertificate |000000|ERROR | Can't locate the issuer certificate CN=DSM Root,O=Computer Associates,C=US, can not verify the certificate
AcceptPeerIdenti|AcceptPeerIdentity |000000|ERROR | Failed to verify the certificate
In Windows Event Viewer APPLICATION following Error event is present :
Source : DSM
level : Error
Task Category : CAF
Certificate security violation:
The certificate was issued by an untrusted or unrecognized root certificate.
The attached data contains the peer certificate.
What do these errors mean?
Environment
Resolution
These errors could be ignored, they do not indicate a problem.
Starting ITCM 14.0 SP1, new certificates have been created to support SHA-2 and Higher RSA (2048 Bits) Key.
See ITCM 14.0 SP1 documentation here :
These errors appear because ITCM 14.0 SP1 (or higher version) is sending new certificate version which do not exist on ITCM 14.0 (or lower version).
But in this case there is an automatically switch to old certificate version.
Remark :
When the machine will be upgraded to 14.0 SP1 or higher, these error messages will disappear from the log.
Additional Information
Example :
When a communication is started between ITCM 14.0 (or lower version) and ITCM 14.0 SP1 (or higher version), Machine with ITCM 14.0 SP1 is sending the new certificate (SHA-2 2048 bits) :
OpenIdentityByNa|OpenIdentityByName_I|000000|DETAIL | Open Identity by name dsmcommon, Use Legacy Certificate FALSE
GetCertificateBy|GetCertificateByTag |000000|DETAIL | Tag <dsmcommon> LegacyCert <FALSE>
CCFCertIdentity:|CCFCertIdentity::Get|000000|DETAIL | Retrieving Certificate matching the hash alorithm = SHA2_256 public key size = 2048
Machine running ITCM 14.0 (or lower version) could not find this certificate and following errors are put in the logs :
VerifyCertificat|VerifyCertificate |000000|DETAIL | Trying to locate trusted signing certificate by SKID <A838A9B61327863DE96B9907924634A046A363CC>
cbbcstor |cbbcstor |000000|INFO | CCertStore::RetrieveCertificate: flags: 0 tag: subject_dn: serialNo: skid: a838a9b61327863de96b9907924634a046a363cc
cbbcstor |cbbcstor |000000|ERROR | CCertStore::RetrieveCertificate: cert not found
VerifyCertificat|VerifyCertificate |000000|ERROR | Can't locate the issuer certificate CN=DSM Root,O=Computer Associates,C=US, can not verify the certificate
AcceptPeerIdenti|AcceptPeerIdentity |000000|ERROR | Failed to verify the certificate
Then machine running ITCM 14.0 SP1 (or higher version) switch automatically with old certificate version (SHA-1 1024 bits) :
OpenIdentityByNa|OpenIdentityByName_I|000000|DETAIL | Open Identity by name dsmcommon, Use Legacy Certificate TRUE
GetCertificateBy|GetCertificateByTag |000000|DETAIL | Tag <dsmcommon> LegacyCert <TRUE>
CCFCertIdentity:|CCFCertIdentity::Get|000000|DETAIL | Retrieving Certificate matching the hash alorithm = SHA1 public key size = 1024
Machine running ITCM 14.0 (or lower version) could find this certificate and authentification is successful.
VerifyCertificat|VerifyCertificate |000000|DETAIL | Trying to locate trusted signing certificate by DN <CN=DSM Root,O=Computer Associates,C=US> and Serial <8653103DF0674344A8EC1A7840A941F2>
cbbcstor |cbbcstor |000000|INFO | CCertStore::RetrieveCertificate: flags: 0 tag: subject_dn: CN=DSM Root,O=Computer Associates,C=US serialNo: 8653103DF0674344A8EC1A7840A941F2 skid:
cbbcstor |cbbcstor |000000|INFO | getCertFromCBB: C:\Program Files (x86)\CA\SC\CBB\certdb\D7964466C524C234D78ED417E64495384F5137C3.der
Attachments
Feedback
