search cancel

PAM-CMN-0977: PKI authentication failed with error: Client chain problem

book

Article ID: 202377

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

A PAM user gets the following error when trying to logon to PAM with a smart card certifcate:

PAM-CMN-0977: PKI authentication failed with error: Client chain problem

Cause

The certificate chain was not loaded into PAM.

Environment

Release : 3.3

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

Command "certutil -scinfo" can be used to view the certifcate on the card with Crypto Shell Extensions. This will show the certificate chain under the "Certification Path" tab. Select each CA certificate in the chain, view it, go to the Details tab, select "Copy to File" and save it in Base-64 encoded X.509 format. You can import each certificate as a CA Bundle into PAM using the Configuration > Security > Certificate page under the Upload tab. Once the full chain is loaded into PAM, the PKI authentication should be successful.