CA Directory is configured as Policy Store.

CADIR1 and CADIR2 are in replication and have SSL enabled.

Policy Server fails to connect to CADIR2 via SSL.

Policy Server 12.8SP07

There was a problem with generating the certificate.

Following command was used to generate the DSA certificate (1).

On CADIR1:

# ./dxcertgen -D CADIR1 -i "CN=DXCertGenCA,OU=SSO,O=example,C=US" -d 3650 certs

On CADIR2:

# ./dxcertgen -D CADIR2 -i "CN=DXCertGenCA,OU=SSO,O=example,C=US" -d 3650 certs

This resulted in generating RootCA for each DSA instance with the same IssuerDN (but may result in a different serial number).

The RootCA certificate from CADIR1 was imported to cert9.db using certutil command successfully.

But when importing the RootCA from CADIR2, following error is reported:

certutil: could not decode certificate: SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.

The Policy Server will not be able to connect to CADIR2 if the Issuer certificate is not imported into cert9.db as trusted CA.

Ensure when generating a new CA using the dxcertgen command, the IssuerDN is a unique DN.

The RootCA certificate is not for securing DSA instances, they should be used for issuing DSA certificate.

Or, the dxcertgen command can be used to generate a key pair for the DSA and CSR to be signed by other CA.

Then the CA certificate chain that issued the DSA certificate should be imported into the cert9.db using certutil on the Policy Server.

1. About the DXcertgen tool