4 Troubleshooting

This section contains details of any known issues and troubleshooting tips.

• Error when adding a new CA

  You may see an error in the LogEvents table similar to the following after attempting and failing to add a new CA:

  Error found in CheckPolicy: Request Enrollent Policy failed: SetClientAuth fail. Certificate Store , C:\Symantec\ra2014.pfx.  The given path's format is not supported.

  This is caused by the PFX file being read-only.

• Multiple CAs with the same CA Path

  If you have multiple CAs sharing a CA Path, the first CA that is updated has all of the Published flags for its policies set to 0.

  This is an issue for Symantec MPKI integration where different jurisdictions may be against the same back-end issuing CA.

• Dual Control for key recovery

  If you have an existing Symantec MPKI connection in MyID, and you want to change it to use Dual Control for key recovery, you must contact Intercede customer support for help with reconfiguring your MyID system, quoting reference SUP-23.

• Error A601

  Error A601 can appear when the common_name or mail_email name value pairs are missing; the message that appears is similar to:

  Enrollment request is incomplete or incorrect. Correct the enrollment request and retry the operation.

  However, this error may also occur when the lifetime requested results in an invalid expiry date; for example, if the validity period of the certificates exceeds the expiration date of the issuing CA.

  For more information on certificate lifetimes, see section 2.7, Certificate start and expiry times.

• IKB-349 – Duplicated certificate records appear in the MyID database

  Duplicated certificate records appear in the MyID database; that is, certificates with the same serial number, but with mismatched key information. This may be caused by the following:

  • Certificate renewals

  • Temporary replacement cards (where short term certificates are issued whilst primary card is unavailable)

  • Requests for replacement cards where the original certificates are not revoked (this has been a policy choice by some customers)

  • User has multiple devices with certificates (e.g. smart card, mobile device, virtual smart card) holding same certificate policy

  If this occurs, you are recommended to set the Allow duplicate certificates option to NO on Digicert MPKI v8 certificate policies..