Issue:
We're running CA Access Gateway (SPS) and randomly users gets return
code 500 in the browser and we want to know why and how to fix this.
Cause:
The Policy Server fails to verify the certificate, because the CA Root
certificate is outdated, and as such it returns an error to SPS which
sends back to the browser 500 code :
smtracedefault.log:
[05/02/2019][14:36:11.637][14:36:11][8093][4001557360][AuthnRequestProtocol.java]
[verifySignatureOnRequest][126359be-0239c034-8cc7d9da-5168aea0-ba8fa1ed-4b][][][]
[][][][][][][][][][][][][][][][][Exception processing signature:
Verifying certificate has expired][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][]
and the lines before mentioned the certificate in usage :
DSigVerInfoSerialNumber=12ef11b2
DSigVerInfoIssuerDN=CN=myname,OU=myunit,O=myorganization,L=mycity,ST=mystate,C=mycountry,
Exporting the Policy Store data (XPSExport), we can find the details
of the certificate. Using Openssl to read it, then we notice that
this transaction uses the following certificate which is out dated :
<Property Name="CA.CDS::Certificate.Alias">
<StringValue>my.cert.in.prod</StringValue>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 552568247 (0x12ef11b2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = mycountry, ST = mystate, L = mycity, O = myorganization, OU = myunit, CN = myname
Validity
Not Before: Jan 22 07:00:00 2018 GMT
Not After : Apr 15 07:00:00 2018 GMT
Subject: C = mycountry, ST = mystate, L = mycity, O = myorganization, OU = myunit, CN = myname
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Resolution:
- In the AdminUI, from your certificates, find the ones signed with
this outdated certificate :
<Property Name="CA.CDS::Certificate.Alias">
<StringValue>my.cert.in.prod</StringValue>
Serial Number: 552568247 (0x12ef11b2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = mycountry, ST = mystate, L = mycity, O = myorganization, OU = myunit, CN = myname
Validity
Not Before: Jan 22 07:00:00 2018 GMT
Not After : Apr 15 07:00:00 2018 GMT
Subject: C = mycountry, ST = mystate, L = mycity, O = myorganization, OU = myunit, CN = myname
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
and change in agreement with your partner the certificate, by
getting a new certificate signed with an up-to-date CA Root
certificate.
KB : KB000132519