Need to update a certificate for a federation partnership, but the admin ui will not display any cert under x509 cert management.

ADMIN UI server.log shows error:

System exception trying to load keystore entries.com.ca.fedpki.api.remote.FedPkiException: com.ca.federation.client.XPSException: Attribute Failure while building the response : CA : XPS : sm-xpssvc-00290

smps.log

[4541/140153423124224][Sun mm dd yyyy 09:15:40.487][XPSSvcHandlerSearch.cpp:1408][ProcessRequest][ERROR][sm-xpssvc-00290] Attribute Failure while building the response
[4541/140153423124224][Sun mm dd yyyy 09:15:40.488][XPSSvcHandlerSearch.cpp:1484][ProcessRequest][ERROR][sm-xpssvc-00173] Search Failed. XID failure.

OS: Red Hat Linux 8.7 
Policy server version : 12.80.700.2758

XPSExport shows error:

(FATAL) : [sm-xpsxps-05100] Unable to read attribute CA.FED::Certificate.CertificateGUID[0] of object CA.FED::Certificate@000dxxxx-xxxx-xxxx-xxxx-xxxxxxxx020
11:39:32 Complete                                              00:00:00
(FATAL) : [sm-xpsxps-04840] Backup failed.

There was a new cert imported from admin ui, somehow the same cert was imported twice. One is "key/cert entry", the other is "cert entry", both with the exact same alias "sample_alias_2025".

The  "key/cert entry" (type 2) is legit and used by many Fed partnerships. 

The "cert entry" (type 1) is corrupted and no actual CDS certificate link to it. 

This prevented loading of ALL certificates on admin ui.

However, when attempting to remove or delete this record (CA.FED::Certificate.CertificateGUID[0] of object CA.FED::Certificate@000dxxxx-xxxx-xxxx-xxxx-xxxxxxxx020)  using XPSExplorer, it would NOT go through successfully.

It failed to delete or rename alias during "U" for update, saying WARN CA.FED::Certificate.CertificateGUID[0] is missing.  At the same time, message "update is successful" displayed.  When coming back to XPSExplorer, the record is unchanged!  

Recycled service multiple times, no effect.

Use smkeytool, import a dummy public cert, with new alias name "samplealias2025bad".

Use XPSExplorer, verified the new cert is in the CDS store.

Then go to XPSExplorer, relink the bad CA.FED::Certificate@000dxxxx-xxxx-xxxx-xxxx-xxxxxxxx020 to this newly imported dummy public cert in CDS.  Now the CA.FED::Certificate is relinked, and record is valid and can be updated with its alias to "samplealias2025bad", so it is different from "sample_alias_2025".

Recycled service, verified admin ui is able to see all the certs again.

The lesson is that NEVER use the same cert alias for two certs, and try NOT to rename any alias for existing cert that is already used for federation or oidc.

Renaming any alias for existing cert can cause certificate data corruption, since the underlining objects are linked by actual OID, not by alias name.

If need to import a new cert, just give a brand new alias name.