SEC_ERROR_REUSED_ISSUER_AND_SERIAL when importing RootCA certificate in Policy Server
search cancel

SEC_ERROR_REUSED_ISSUER_AND_SERIAL when importing RootCA certificate in Policy Server

book

Article ID: 273656

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction


CA Directory is configured as Policy Store.

CADIR1 and CADIR2 are in replication and have SSL enabled.

Policy Server fails to connect to CADIR2 via SSL.

 

Environment


Policy Server 12.8SP07

 

Cause


There was a problem with generating the certificate.

Following command was used to generate the DSA certificate (1).

On CADIR1:

# ./dxcertgen -D CADIR1 -i "CN=DXCertGenCA,OU=SSO,O=example,C=US" -d 3650 certs

On CADIR2:

# ./dxcertgen -D CADIR2 -i "CN=DXCertGenCA,OU=SSO,O=example,C=US" -d 3650 certs

This resulted in generating RootCA for each DSA instance with the same IssuerDN (but may result in a different serial number).

The RootCA certificate from CADIR1 was imported to cert9.db using certutil command successfully.

But when importing the RootCA from CADIR2, following error is reported:

certutil: could not decode certificate: SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.

The Policy Server will not be able to connect to CADIR2 if the Issuer certificate is not imported into cert9.db as trusted CA.

 

Resolution


Ensure when generating a new CA using the dxcertgen command, the IssuerDN is a unique DN.

The RootCA certificate is not for securing DSA instances, they should be used for issuing DSA certificate.

Or, the dxcertgen command can be used to generate a key pair for the DSA and CSR to be signed by other CA.

Then the CA certificate chain that issued the DSA certificate should be imported into the cert9.db using certutil on the Policy Server.

 

Additional Information