CA Directory is configured as Policy Store.
CADIR1 and CADIR2 are in replication and have SSL enabled.
Policy Server fails to connect to CADIR2 via SSL.
Release : 12.8.07
There was a problem with generating the certificate.
Following command was used to generate the DSA certificate.
./dxcertgen -D CADIR1 -i "CN=DXCertGenCA,OU=SSO,O=TEST,C=AU" -d 3650 certs
./dxcertgen -D CADIR2 -i "CN=DXCertGenCA,OU=SSO,O=TEST,C=AU" -d 3650 certs
This resulted in generating RootCA for each DSA instances with the same IssuerDN (but may result in different serial number)
RootCA certificate from CADIR1 was imported to cert9.db using certutil command successfully.
But when importing the RootCA from CADIR2, following error is reported.
certutil: could not decode certificate: SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
Policy Server will not be able to connect to CADIR2 if the Issuer certificate is not imported into cert9.db as trusted CA.
Ensure when generating a new CA using dxcertgen, the IssuerDN is a unique DN.
The RootCA certificate is not for securing DSA instances, they should be used for issueing DSA certificate.
Or the dxcertgen can be used to generate keypair for the DSA and CSR to be signed by other CA.
Then the CA certificate chain that issued the DSA certificate should be imported into the cert9.db using certutil at the Policy Server.