4 Troubleshooting

This section contains information on issues you may come across when setting up or using UniCERT with MyID.

• Invalid certificate policy for archival

  If you have not set up your certificate policies with data encipherment and/or key encipherment, and attempt to archive certificates, the MyID log events may contain an error similar to:

  <Error>

  <Code>-2147195611</Code>

  <Function>DoCertRequest</Function>

  <Message>Failure in UPI during certificate request submission Error generating the key pair for keyproperties with index com.cybertrust.unicert.upi.client.UPIException: Error generating the key pair for keyproperties with index:0 at com.cybertrust.unicert.upi.client.SoftwareEEIdentity.generateKeyPair(Unknown Source) at com.intercede.cybertrust.CertRequester.DoCertRequest(CertRequester.java:147) Caused by: java.lang.IllegalArgumentException: Policies with archival required must specify an encipherment key usage. ... 2 more

  </Message>

  <StackTrace>com.cybertrust.unicert.upi.client.UPIException: Error generating the key pair for keyproperties with index:0 at com.cybertrust.unicert.upi.client.SoftwareEEIdentity.generateKeyPair(Unknown Source) at com.intercede.cybertrust.CertRequester.DoCertRequest(CertRequester.java:147) Caused by: java.lang.IllegalArgumentException: Policies with archival required must specify an encipherment key usage. ... 2 more

  </StackTrace>

  </Error>

  Make sure your certificate policies have been set up correctly.

• KAS not available

  If you do not have the optional KAS UniCERT module, and attempt to issue archived certificates, an error similar to the following appears:

  <Error>

  <Code>-2147195611</Code>

  <Function>DoCertRequest</Function>

  <Message>Failure in UPI during certificate request submission No KAS certificate was found during the encryption/decryption operation. com.cybertrust.unicert.upi.client.ConfigurationException: upi.config.kascert.missing at com.cybertrust.unicert.upi.client.CertificateRequestForm.addPrivateKeyForArchive(Unknown Source) at com.cybertrust.unicert.upi.client.SoftwareEEIdentity.generateKeyPair(Unknown Source) at com.intercede.cybertrust.CertRequester.DoCertRequest(CertRequester.java:147)

  </Message>

  <StackTrace>com.cybertrust.unicert.upi.client.ConfigurationException: upi.config.kascert.missing at com.cybertrust.unicert.upi.client.CertificateRequestForm.addPrivateKeyForArchive(Unknown Source) at com.cybertrust.unicert.upi.client.SoftwareEEIdentity.generateKeyPair(Unknown Source) at com.intercede.cybertrust.CertRequester.DoCertRequest(CertRequester.java:147)

  </StackTrace>

  </Error>

• I/O error on SSL communications

  If the SSL chain is not trusted or added to the Java cacerts/trusted certs store, or if the end RRO certificate is ECC-based, an I/O error similar to the following appears:

  <Error>

  <Code>-2147195610</Code>

  <Function>DownloadPolicies</Function>

  <Message>UPIException An Input/Output error has occurred whilst performing the current operation. com.cybertrust.unicert.upi.client.UPIException: An Input/Output error has occurred whilst performing the current operation.</Message>

  </Error>

• Error when the HSM seeding configuration file is not found

  If MyID cannot locate the HSM seeding configuration file (for example, if you have mistyped the location in the Cfg File Path field – see section 3.1.1, Using an HSM for key generation seeding) an error similar to the following appears:

  Failure in UPI during certificate request submission java.security.InvalidParameterException: Error configuring SunPKCS11 provider
  at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:117)
  at com.intercede.cybertrust.CertRequester.loadHWProvider(CertRequester.java:1171)
  at com.intercede.cybertrust.CertRequester.DoCertRequest(CertRequester.java:180)
  Caused by: java.io.FileNotFoundException: c:\logs\pkcs11.cfg (The system cannot find the file specified)
  at java.base/java.io.FileInputStream.open0(Native Method)
  at java.base/java.io.FileInputStream.open(FileInputStream.java:219)
  at java.base/java.io.FileInputStream.<init>(FileInputStream.java:157)
  at java.base/java.io.FileInputStream.<init>(FileInputStream.java:112)
  at jdk.crypto.cryptoki/sun.security.pkcs11.Config.<init>(Config.java:206)
  at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:113)
  at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:110)
  at java.base/java.security.AccessController.doPrivileged(Native Method)
  at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:110)
  ... 2 more

• Error when the JCryptoki.dll and keytoolspkcs11utils_57u.dll files cannot be found

  If you have not copied the JCryptoki.dll and keytoolspkcs11utils_57u.dll files as specified in section 3.1.1, Using an HSM for key generation seeding, an error similar to the following appears:

  2019-07-24 08:33:23.068 [7488.3924] UniCERTUPI Connector::CheckJniException - Exception string: com.cybertrust.unicert.upi.client.UPIException: <Error><Code>-2147195611</Code><Function>DoCertRequest</Function><Message>Failure in UPI during certificate request submission An general PKCS#11 error occurred. com.cybertrust.unicert.upi.client.SmartcardException: upi.pkcs11.general
  at com.cybertrust.unicert.upi.client.Reader.<init>(Reader.java:53)
  at com.intercede.cybertrust.CertRequester.DoCertRequest(CertRequester.java:187)
  Caused by: com.baltimore.pkcs11.exception.PKCS11Exception: JCryptoki exception occurred: The JCryptoki JNI library (JCryptoki) was not found
  at com.baltimore.pkcs11.exception.PKCS11Exception.getTypedException(PKCS11Exception.java:279)
  ... 2 more
  </Message><StackTrace>com.cybertrust.unicert.upi.client.SmartcardException: upi.pkcs11.general
  at com.cybertrust.unicert.upi.client.Reader.<init>(Reader.java:53)
  at com.intercede.cybertrust.CertRequester.DoCertRequest(CertRequester.java:187)
  Caused by: com.baltimore.pkcs11.exception.PKCS11Exception: JCryptoki exception occurred: The JCryptoki JNI library (JCryptoki) was not found
  at com.baltimore.pkcs11.exception.PKCS11Exception.getTypedException(PKCS11Exception.java:279)
  ... 2 more
  </StackTrace></Error> 

• Certificates take a long time to issue

  If you are using an HSM for seeding, the combination of using an external CA and an external HSM may increase the time taken to issue a certificate significantly. You may want to increase the Certificate Refresh Threshold option (on the Certificates page of the Operation Settings workflow) to a larger value; for example, 120 seconds.

• Error when the CA Path or Service Point is incorrect

  If there is a mistake in the CA Path or Service Point setting for the CA, you may see an error similar to:

  java.io.FileNotFoundException: http://iot-secure-poc.verizon.com:80/icaupi-beta/servlet/WebRAOServlet/servlet/GetPolicyList

  Make sure that the settings in the Certificate Authorities workflow are correct, and try again.