Certificate Related Issues
Review these troubleshooting tips for common certificate-related issues when working with Oracle Key Vault.
- Updating to Current Certificate Issuer
While the Oracle Key Vault CA certificate rotation is in progress, the endpoint's status remains as Updating in Progress for many days. The CA certificate rotation process may be stalled if there are several endpoints in the Updating in Progress state.
Parent topic: Troubleshooting Oracle Key Vault
Updating to Current Certificate Issuer
While the Oracle Key Vault CA certificate rotation is in progress, the endpoint's status remains as Updating in Progress for many days. The CA certificate rotation process may be stalled if there are several endpoints in the Updating in Progress state.
Example
Probable Cause 1
No recent activity from the endpoint.
Solution
- In the endpoint, go to
$OKV_HOME/bin, and run theokvutillist command multiple times.$OKV_HOME/bin/okvutil list -v 4 - If the preceding command returns data then:
- Verify if
$OKV_HOME/sslis updated with the new certificates. A new directory is created under$OKV_HOME/sslthat containsewallet.p12. - Verify the endpoint status in the Oracle Key Vault management console.
- If the endpoint status still shows
Update in Progress, then contact Oracle support.Note:
In a multi-master cluster environment, the endpoint may not connect to the node where the new endpoint certificates are generated.
- Verify if
- If the
okvutilcommand fails with an error, re-enroll the endpoint, download and install theokvclient.jarfile. See, How to Re-Enroll an Endpoint on an Endpoint Database. - Verify if the certificate rotation proceeds.
- Check if the issue is resolved.
Probable Cause 2
The endpoint is no longer in use.
Solution
- Check if the endpoint is not in use. If so, delete or re-enroll the endpoint.
- Repeat the same action for all the inactive endpoints.
- Verify if the certificate rotation proceeds.
- Check if the issue is resolved.
Parent topic: Certificate Related Issues