Unable To Import Certificate

book

Article ID: 38587

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Issue:

I attempted to import a certificate, and it initially appeared to work, but never showed up in any of the dropdown lists of certificates or in the Trusted Certificates list.

 

Attempting to import it again gives the error:

 

Error: 

 An existing cert entry with the same Alias has been found: Bitium-UnionGeneral-IA 

 

Attempting to import it with a different name gives the error:

 

Error: 

 The certificate being imported already exists in the database under a different alias: bitium-uniongeneral-ia

 

- The errors above make it impossible for the user to use the certificate in the Partnerships, as it is not an option in the certificate lists.

- The certificate will exist in the CDS, and will show up in the output of an smkeytool - listCerts command is issued.

 

Environment: 

Policy Server: R12.51 CR01 build 973 : RHEL 5.9

 

Policy Store: CA Directory R12 SP12 : RHEL 6.4

 

Admin UI: R12.51 CR01 build 972 : RHEL 5.9

 

 

Cause:

- This issue occurs when a customer tries to import metadata into the Federation menu of the Admin UI, and the import fails.  The included certificate gets imported into the CDS, but it does not appear in the AdminUI.

- If the certificate is imported again, the first error: "An existing cert entry with the same Alias has been found: (cert alias name)"

- If the administrator triest to import it with a different name, the second error: "The certificate being imported already exists in the database under a different alias: (cert alias name)"

 

Resolution:

- Remove the cert using the following command:

smkeytool -delete -alias <alias_name>

- The certificate can be verified that it no longer exists in the CDS by using XPSExplorer:

- Run XPSExplorer using elevated privileges

- Under the CDS menu, choose the option "Certificates"

- Under the Certificates menu, choose the option "Search Objects"

- Under this menu, verify that the certificate with the alias you deleted does not exist.

- A cross-check can be performed by issuing the smkeytool -listCerts command

- Import the certificate into the CDS using the AdminUI

 

Ideally, all certificate aliases should be free of non-alphanumeric characters to avoid issues with legacy tools (smkeytool)

 

 

Additional Information:

 

- If the certificate was imported using the AdminUI, and contains non-alphanumeric characters (i.e. in the customer's use-case above), the certificate cannot be removed using the smkeytool -delete -alias <alias_name> command, and the following error will be given:

-  "Invalid value specified for alias. Only alpha-numeric characters are allowed in aliases."

- This is because the smkeytool is a legacy command, and is not set up to accept aliases with non-alphanumeric characters.

- This can be resolved by deleting the certificate directly from the CDS:

 

- Open a command-line and run XPSExplorer with elevated privileges

- Under the CDS menu, choose the option "Certificates"

- Under the Certificates menu, choose the option "Search Objects"

- Under this menu, find the certificate with the alias that contains the non-alphanumeric characters, and type the number associated with that certificate

- Select the option "Delete Object"

- You will be returned to the previous menu with the certificates, which may still show the certificate in question.  If so, back up one menu by selecting the option "Quit"

- Re-open the "Search Objects" menu and verify that the certificate is deleted.

- Import the certificate again using the Admin UI

 

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component: