CCertStore::RetrieveCertificate: cert not found

book

Article ID: 17015

calendar_today

Updated On:

Products

CA Automation Suite for Data Centers - Configuration Automation CA Client Automation - Asset Management CA Client Automation - IT Client Manager CA Client Automation CA Client Automation - Remote Control CA Client Automation - Asset Intelligence CA Client Automation - Desktop Migration Manager CA Client Automation - Patch Manager

Issue/Introduction



In some ITCM logs following error message appears :

cbbcstor |cbbcstor |000000|ERROR | CCertStore::RetrieveCertificate: cert not found 

VerifyCertificat|VerifyCertificate |000000|ERROR | Can't locate the issuer certificate CN=DSM Root,O=Computer Associates,C=US, can not verify the certificate 

AcceptPeerIdenti|AcceptPeerIdentity |000000|ERROR | Failed to verify the certificate 

 

 

In Windows Event Viewer APPLICATION following Error event is present :

Source : DSM

level : Error

Task Category : CAF

 

Certificate security violation:

The certificate was issued by an untrusted or unrecognized root certificate.

The attached data contains the peer certificate.

 

 

 

What do these errors mean? 

 

 

Environment

Communication between machine with ITCM 14.0 SP1 (or higher version) and machine with ITCM 14.0 (or lower version)

Resolution

These errors could be ignored, they do not indicate a problem.

Starting ITCM 14.0 SP1, new certificates have been created to support SHA-2 and Higher RSA (2048 Bits) Key.

 

See ITCM 14.0 SP1 documentation here :

https://docops.ca.com/ca-client-automation/14-0/en/release-information-14-0-1/new-features-and-enhancements-of-14-0-1

 

These errors appear because ITCM 14.0 SP1 (or higher version) is sending new certificate version which do not exist on ITCM 14.0 (or lower version).

But in this case there is an automatically switch to old certificate version.

 

Remark :

When the machine will be upgraded to 14.0 SP1 or higher, these error messages will disappear from the log.

 

 

 

Additional Information

Example :

 

When a communication is started between ITCM 14.0 (or lower version) and ITCM 14.0 SP1 (or higher version), Machine with ITCM 14.0 SP1 is sending the new certificate (SHA-2 2048 bits) :

OpenIdentityByNa|OpenIdentityByName_I|000000|DETAIL | Open Identity by name dsmcommon, Use Legacy Certificate FALSE 

GetCertificateBy|GetCertificateByTag |000000|DETAIL | Tag <dsmcommon> LegacyCert <FALSE> 

CCFCertIdentity:|CCFCertIdentity::Get|000000|DETAIL | Retrieving Certificate matching the hash alorithm = SHA2_256 public key size = 2048 

 

Machine running ITCM 14.0 (or lower version) could not find this certificate and following errors are put in the logs :

VerifyCertificat|VerifyCertificate |000000|DETAIL | Trying to locate trusted signing certificate by SKID <A838A9B61327863DE96B9907924634A046A363CC> 

cbbcstor |cbbcstor |000000|INFO | CCertStore::RetrieveCertificate: flags: 0 tag: subject_dn: serialNo: skid: a838a9b61327863de96b9907924634a046a363cc 

cbbcstor |cbbcstor |000000|ERROR | CCertStore::RetrieveCertificate: cert not found 

VerifyCertificat|VerifyCertificate |000000|ERROR | Can't locate the issuer certificate CN=DSM Root,O=Computer Associates,C=US, can not verify the certificate 

AcceptPeerIdenti|AcceptPeerIdentity |000000|ERROR | Failed to verify the certificate 

 

Then machine running ITCM 14.0 SP1 (or higher version) switch automatically with old certificate version (SHA-1 1024 bits) :

OpenIdentityByNa|OpenIdentityByName_I|000000|DETAIL | Open Identity by name dsmcommon, Use Legacy Certificate TRUE 

GetCertificateBy|GetCertificateByTag |000000|DETAIL | Tag <dsmcommon> LegacyCert <TRUE> 

CCFCertIdentity:|CCFCertIdentity::Get|000000|DETAIL | Retrieving Certificate matching the hash alorithm = SHA1 public key size = 1024 

 

 

Machine running ITCM 14.0 (or lower version) could find this certificate and authentification is successful.

VerifyCertificat|VerifyCertificate |000000|DETAIL | Trying to locate trusted signing certificate by DN <CN=DSM Root,O=Computer Associates,C=US> and Serial <8653103DF0674344A8EC1A7840A941F2> 

cbbcstor |cbbcstor |000000|INFO | CCertStore::RetrieveCertificate: flags: 0 tag: subject_dn: CN=DSM Root,O=Computer Associates,C=US serialNo: 8653103DF0674344A8EC1A7840A941F2 skid: 

cbbcstor |cbbcstor |000000|INFO | getCertFromCBB: C:\Program Files (x86)\CA\SC\CBB\certdb\D7964466C524C234D78ED417E64495384F5137C3.der 

 

 

 

 

 

Attachments