Unable to renew Directory Management UI server certificates
search cancel

Unable to renew Directory Management UI server certificates

book

Article ID: 260318

calendar_today

Updated On:

Products

CA Directory

Issue/Introduction

The SSL certificates of our Directory Management UI servers (the Management UI node.js server and SCIM server) are about to expire. The servers are running in Windows.

We followed the Directory documentation to renew the certificates: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/directory/14-1/administrating/troubleshooting-ca-directory/creating-directory-manager-certificates-after-expiration.html

However, after we run createCerts.bat the server certificates (webservercert.pem and scimclientcert.pem) are empty.

We can see this error in the createCerts.bat output:

ERROR:There is already a certificate for /CN=<FQDN>/ST=Victoria/C=AU/O=CA Technologies/OU=Directory Management UI node.js

How can we renew the certificates?

Environment

Release : 12.x; 14.x

Cause

The problem is that current Management UI server and SCIM server certificates have not expired yet.
The OpenSSL maintains a database of issued certificates, and complains about an attempt to create a certificate with the same subject as the already issued certificate that hasn't expired yet.

Resolution

Under "management-ui\CA" folder (by default "C:\Program Files\CA\Directory\management-ui\CA" in Windows) find "index.txt.attr" file.

The above file should contain this configuration parameter:
unique_subject = yes

Edit that file and change the above parameter to
unique_subject = no

Then run createCerts.bat again and continue certificate renewal procedure as per mentioned Directory documentation.