Ask a Question

Advanced Search

Solution ID : SO1767

Last Modified : 06/21/2018

Error: 3905 or a00d when enrolling for certificates using Automated Administration (Managed PKI 6.x and below)

Cause

This error occurs when multiple RA certificates listed in the software database which cause the Automated Admin service to reject requests.

Solution

Note:  This solution applies to Managed PKI v6.x and below
 
To resolve this issue, perform the following steps:
 
1. Make sure you are at the signers directory on the Automated Administration server before you execute the commands below.
2. At the command prompt, follow the option that applies to your configuration:
 
If you have Software Signing type swimport -dump > swimport.txt
If you have Hardware Signing type aakeygen - dump > aakeygen.txt
 
3. Look at the applicable .txt file content and confirm that the RA certificate is valid. The entry with your account's Organization name is the RA certificate.
4. If RA certificate is invalid, it must be renewed. Follow the solutions listed below. If RA is valid, proceed to Step 5.
 
If you need RA renewal instructions for Hardware Signing, refer to SO1493
If you need RA renewal instructions for Software SIgning, refer ti SO1371
 
5. Normally, there should only be four certificates listed in the .txt file. The four certificates create a trust hierarchy referred to as Certificate Chain. 1 Root + 1 Intermediate + 1 Auto Admin + 1 RA certificate. If there is more than 1 RA certificate proceed as follows:
 
a. Stop the Automated Administration service
b. If you have Software Signing type swimport -delete,  from the signers directory and confirm the deletion of all certificates in the chain
c. If you have Hardware Signing type aakeygen -delete,  from the signers directory and confirm the deletion of all certificates in the chain
d. Import the PKCS7 certificate chain by running the appropriate command:
 
If you have a pilot system, type swimport -file TestOnSiteRAcert.pkcs7
If you have a production system, type swimport -file ProductionOnSiteRAcert.pkcs7
If you have the Hardware Signing option, use the aakeygen command in place of swimport
 
e. If you have Software Signing, import the RA certificate file to the certificate store by typing swimport -file cert.509 -509
f. If you have Hardware Signing, import the RA certificate file to the certificate store by typing aakeygen -file cert.509 -509
g. Restart the Automated Administration service and test certificate enrollment again