API Gateway Validate Certificate Assertion Error: CANT_BUILD_PATH

book

Article ID: 196944

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

Validate certificate assertion is configured with "Revocation Checking" as validation type. The certificate validation fails with "CANT_BUILD_PATH" error. The same certificate with "Validate Certificate Path" as validation type didn't show any error and this confirms the certificate path is configured as needed.

Cause

Possible Causes:

  • Revocation checking policy may not be configured
  • Intermediate or root cert is not properly linked to revocation checking policy
  • CRL size is larger than 1 MB (default size)
  • Network configuration may not allow connection to CRL URL

Environment

Release : 9.4

Component : API GATEWAY

Resolution

  • Create or verify the revocation checking policy to make sure of the correct configuration. Click on the "Certificate Validation" tab of the "Manage Certificate" menu option to review the revocation checking policy.
  • Make sure the intermediate and/or the root cert is configured with either default revocation checking policy or any configured policy from the drop-down list. You can verify validation tab of the certificate in the "Manage Certificate" menu option.
  • Set pkix.crl.maxSize cluster-wide property to higher value or set to 0 unlimited CRL size.
  • If the network won't allow connection to the outside then Gateway won't reach the CRL and download it. You can configure your network proxy as default proxy at Tasks -> Transports -> Manage HTTP Options.