search cancel

Error importing certificate with escape Characters


Article ID: 7545


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


When importing an entrust certificate, the certificate is stored incorrectly. 

In particular, comparing the CA.CDS::Certificate and the CA.FED::Certificate, the IssuerDN is different.


IssuerDN = "C=US,O=Entrust\, Inc.,OU=See,OU=(c) 2012 Entrust\, Inc. - for authorized use only,CN=Entrust Certification Authority - L1K" 


*IssuerDN = "CN=Entrust Certification Authority - L1K, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See, O="Entrust, Inc.", C=US" 

This causes transaction that leverage certificates to fail during signature validation so that the federation transaction is failing.


CA SSO R12.52 Sp1 CR4 on Redhat Linux 6.X 64 bit


There is a manual workaround consisting in using XPSExplorer to modify the IssuerDN format in CA.FED::Certificate to match that in the CA.CDS::Certificat.

However, the issue is resolved in CA SSO 12.52 SP1 CR06 where a patch is included to allow for different issuerDN formats. With this fix, the right IssuerDN is picked up and Federation transactions complete without an issue. This is the recommended solution for this case

Note that the IssuerDN appears with different formats due to the presence of special characters, like backslashes, apostrophes, etc. Version 12.52 SP1 CR06 also contains fixes for allowing for assertions to be encrypted even if the IssuerDN contains non-ascii characters.