Error: "No stored certificate request matches this certificate" when installing a SSL/TLS certificate in Messaging Gateway

book

Article ID: 152732

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

Symantec Messaging Gateway (SMG) needs a Certificate Authority (CA) certificate installed, but the error "No stored certificate request matches this certificate." occurs.

"No stored certificate request matches this certificate."

Cause

This message is returned when a certificate import file cannot be matched to either an existing certificate signing request (CSR), or an existing certificate in the database. This can be due to:

  • an issue with the format of the input file (e.g. pk7 formatted rather than the required x509 format)
  • a failure to include both the certificate and matching a private key in the import file
  • a wildcard certificate with no associated CSR or private key in the SMG Control Center.

Resolution

Notice: These instructions are provided as a service to our customers. Symantec ECS will not provide assistance to convert certificate formats by phone, email, or chat. For more assistance, please contact your certificate authority.

WARNING: All files below are examples; do not use them. Please use your own CSR and certificate.

  1. Ensure you have the actual CSR file from the appliance. You can only see it when creating the request, and must be saved locally after creation.
    Example CSR:

    -----BEGIN NEW CERTIFICATE REQUEST-----
    MIIBzDCCATUCAQAwgYsxJDAiBgkqhkiG9w0BCQEWFWZZZZZZZZ9saXBza2lAbW9u
    eC5ldTEXMBUGA1UEAxMObWFpbDAxLm1vbnguZXUxEDAOBgNVBAgTB0lyZWxhbmQx
    DzZZZZNVBAcTBkR1YmxpbjELMAkGA1UEBhMCSUUxCzAJBgNVBAsTAml0MQ0wCwYD
    VQQKEwRtb254MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChmgiTNm+5FzpS
    gTXvTr7Y4njrJdrF7rZZZZZZZZZZZZZZZZZZZZZZenFHIL+l2Tp8j9IWjPE7pCs5
    SdTP9HzhOqxg4IzRHpaIz5LhR8Mbu1S8tMvrPNZqEbCsYsq3JTfPRcy/tJCgXBNx
    vzNN784Px74/SMibp0pfAS2mVH4poQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEA
    SL7SG4zmBLTgDesLZZZZZZZZZZZZZZZZK9CaCoWwB/eAQ3fdbcSPTuJXjonpGGJw
    4TzwXVBl5068cqvtEjI1bEl3WonncajiiA3pprvGp+HXbNNyJtovprWay33Kldms
    DhhzSV7ijERdjOVGvnnl09tnZLnQLNtQ9CF3bKfqnqo=
    -----END NEW CERTIFICATE REQUEST-----

     
  2. Ensure you have the certificate file generated by the CA from the CSR in step 1:
    Example x509/PEM certificate:
    -----BEGIN CERTIFICATE-----
    MIIFSTCCBDGgAwIBAgIQS1wGA8JSt8ZZZZZZZZZZZZZZZZZZhkiG9w0BAQUFADCB
    yzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTAwLgYDVQQL
    EydGb3IgVGVzdCBQdXJwb3NlcyBPbmx5LiAgTm8gYXNzdXJhbmNlcy4xQjBABgNV
    BAsTOVRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3Bz
    L3Rlc3RjYSAoYykwOTEtMCsGA1UEAxMkVmVyaVNpZ24gVHJpYWwgU2VjdXJlIFNl
    cnZlciBDQSAtIEcyMB4XDTEwMDkwOTAwMDAwMFoXDTEwMDkyMzIzNTk1OVowgaEx
    CzAJBgNVBAYTAklFMRAwDgYDVQQIEwdJcmVsYW5kMQ8wDQYDVQQHFAZEdWJsaW4x
    DTALBgNVBAoUBG1vbngxCzAJBgNVBAsUAml0MTowOAYDVQQLFDFUZXJtcyBvZiB1
    c2UgYXQgd3d3LnZlcmlzaWduLmNvbS9jcHMvdGVzdGNhIChjKTA1MRcwFQYDVQQD
    FA5tYWlsMDEubW9ueC5ldTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoZoI
    kzZvuRc6UoE1ZZZZZZZZZZZZZZZZZZZZZZZLbT/x6SQRwc7SJXpxRyC/pdk6fI/S
    FozxO6QrOUnUz/R84TqsYOCM0R6WiM+S4UfDG7tUvLTL6zzWahGwrGLKtyU3z0XM
    v7SQoFwTcb8zTe/OD8e+P0jIm6dKXwEtplR+KaECAwEAAaOCAdMwggHPMAkGA1Ud
    EwQCMAAwCwYDVR0PBAQDAgWgMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9TVlJU
    cmlhbC1HMi1jcmwudmVyaXNpZ24uY29tL1NWUlRyaWFsRzIuY3JsMEoGA1UdIARD
    MEEwPwYKYIZIAYb4RQEHFTAxMC8GCCsGAQUFBwIBFiNodHRwczovL3d3dy52ZXJp
    c2lnbi5jb20vY3BzL3Rlc3RjYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
    AwIwHwYDVRZZZZZZZZZZZZZZZZZZZZZZBiy3to7aEGZgbuUwdAYIKwYBBQUHAQEE
    aDBmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wPgYIKwYB
    BQUHMAKGMmh0dHA6Ly9TVlJUcmlhbC1HMi1haWEudmVyaXNpZ24uY29tL1NWUlRy
    aWFsRzIuY2VyMG4GCCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYWCWltYWdlL2dpZjAh
    MB8wBwYFKw4DAhoEFEtruSiWBgy70FI4mymsSweLIQUYMCYWJGh0dHA6Ly9sb2dv
    LnZlcmlzaWduLmZZZZZZZZZZZZZZZZZZZjANBgkqhkiG9w0BAQUFAAOCAQEAZYq3
    ZI9mi487cjH6Y2kuOoUReidD2+X7l02rHdnPmeEOuQI+hUSJ6+GoQdV46aV4fN73
    +e/c4g7k9tnAESfLBf7JokgKp7MNXh3d06Iejgu+IMsJc4orehlghtIXEvaGLzoq
    wUxfw/NqnEGgK45g6M9Q//BLY8WeWSG2FWBeHDRDiE0rQghs9eR8gOPQU2w/gij9
    W1Rck95aVbu24A4kXk5qDqD1z+u9zSWX6DIX/wbJhAM6DVxoziIO4ES+A/bOWy+A
    193dM9rv3ACKUxtVPG4ZrrzTURrUFmFL02OirejhmO63yUHBm7GwQXQBBc2Ne7RQ
    WNcaWUo+PVfA5C2Q5g==
    -----END CERTIFICATE-----

     
  3. Use the following openssl command to the display contents of CSR, where "cert.csr" is your CSR file:

    openssl req -text -noout -verify -in cert.csr
     
  4. Use the following openssl command to display contents of the certificate, where cert.pem is your certificate file:

    openssl x509 -in cert.pem -text -noout
     
  5. Compare the sections called "Modulus" and "Expotent" in both the CSR and certificate file; they should be identical. If not, this may mean that the certificate has been created from a different CSR.
  6. Review the "Subject" section in both the CSR and certificate. Verify the information correlates.

Remediation

If the CSR and the certificate do not correlate, then Symantec recommends verification and/or reissuance of the certificate by the CA.

If the CA cannot remediate the issue or time is a factor, certificates may be installed without a CSR. See "Install certificates without a generated Certificate Signing Request".

 

Additional information

If you need OpenSSL, please go to the OpenSSL homepage.