Differences in IssuerDN when importing a certificate through smkeytool
search cancel

Differences in IssuerDN when importing a certificate through smkeytool

book

Article ID: 7399

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

We are importing certificates in R12.52 Policy Stores through CLI, using the command to import the cert in base 64 format:

./smkeytool.sh -addCert -alias "Certname" -infile /tmp/"ceertificate"

And when cert is sucessfully imported in Policy Store, if the cert has special characters like "./" in IssuerDN, then the cert is not added properly and thus SAML SSO fails at signature validation, with the error: "Exception while verifying signature"

We have checked certs using XPSExplorer and we see cert is stored in two places as listed below:
1) CA.CDS::
2) CA.FED::

In both, we see different IssuerDN:

1-CA.CDS::
IssuerDN = "C=US,O=Test\, Inc.,OU=See www.Test.net/legal-terms,OU=(c) 2012 Test\, Inc. - for authorized use only,CN=Test Certification Authority - F2K"

2-CA.FED::Certificate
--------------- Attributes from CA.FED::Certificate ---------------
Alias = "test"
CertificateGUID = CA.CDS::[email protected]
FIPSApproved = true
IssuerDN = "CN=Test Certification Authority - F2K, OU="(c) 2012 Test, Inc. - for authorized use only", OU=See www.Test.net/legal-terms, O="Test, Inc.", C=US"
Type = <Certificate>
-------------------------------------------------------------------

So when we see how it is stored in CA.FED and in CA.CDS. The only difference is in IssuerDN.

How we can solve this? Are we importing the certificate correctly?

Environment

Policy Server : R12.52 SP1 CR04

Resolution

There is an issue fixed in R12.52 SP1 CR06 which solves the functional issue of the certs matching regardless of the display in the UI and/or XPSExplorer. You can have two different IssuerDN formats (but logically the same) and the Federation transaction can pick the right one and continue without any issue.

However, this cannot fix the difference in IssuerDN format, which appears differently when having special characters (quotes, apostrophe, etc) in certificates.

FIX : DE144249 PS failed to locate certificate with escape chars in the Issuer field

As workaround, you can modify the IssuerDN on the CA.FED::Certificate object to match the CA.CDS::Certificate IssuerDN. Alternatively, you can export the certificate in Base64 encoded format, and re-import it, as this will correct the IssuerDN.

Powered by Wolken Software