C.6 Certificate Related Issues

Review these troubleshooting tips for common certificate-related issues when working with Oracle Key Vault.

  • Unable to Upload Console Certificates
    Uploading console certificates fails, and an error message is displayed.
  • Updating to Current Certificate Issuer
    While the Oracle Key Vault CA certificate rotation is in progress, the endpoint's status remains as Updating in Progress for many days. The CA certificate rotation process may be stalled if there are several endpoints in the Updating in Progress state.
  • Error When Configuring SSO
    When configuring Single Sign On (SSO), Oracle Key Vault displays an invalid certificate error.

Parent topic: Troubleshooting Oracle Key Vault

C.6.1 Unable to Upload Console Certificates

Uploading console certificates fails, and an error message is displayed.

Example

Uploading console certificates fails with:

Error: Failed to upload certificate file. Certificate is not compatible with server.

Probable Cause

Console certificates are not uploaded as platform certificates may have expired.

Solution

  1. Check the validity of the following platform certificates:
    • openssl x509 -in /usr/local/dbfw/etc/ca.crt -enddate -noout
    • openssl x509 -in /usr/local/dbfw/etc/cert.crt -enddate -noout
    • openssl x509 -in /etc/pki/tls/certs/localhost_internal.crt -enddate -noout
    • openssl x509 -in /etc/pki/tls/certs/avs_generated_ui.crt -enddate -noout
    • openssl x509 -in /etc/pki/tls/certs/localhost.crt -enddate -noout
    • openssl x509 -in /usr/local/dbfw/etc/avs/avs_apex_client.crt -enddate -noout
    • openssl x509 -in /usr/local/dbfw/etc/ha_partner.crt -enddate -noout
  2. If any of the preceding certificates have expired, perform the steps in the following article: Rotating Platform Certificates.
  3. After the platform certificates are validated, generate the console certificate CSR, sign it and then upload the console certificate.

Parent topic: Certificate Related Issues

C.6.2 Updating to Current Certificate Issuer

While the Oracle Key Vault CA certificate rotation is in progress, the endpoint's status remains as Updating in Progress for many days. The CA certificate rotation process may be stalled if there are several endpoints in the Updating in Progress state.

Probable Cause 1

No recent activity from the endpoint.

Solution

  1. In the endpoint, go to $OKV_HOME/bin, and run the okvutil list command multiple times.
    OKV_HOME/bin/okvutil list -v 4
  2. If the preceding command returns data then:
    1. Verify if $OKV_HOME/ssl is updated with the new certificates. A new directory is created under $OKV_HOME/ssl that contains ewallet.p12.
    2. Verify the endpoint status in the Oracle Key Vault management console.
    3. If the endpoint status still shows Update in Progress, then contact Oracle support.

      Note:

      In a multi-master cluster environment, the endpoint may not connect to the node where the new endpoint certificates are generated.
  3. If the okvutil command fails with an error, re-enroll the endpoint, download and install the okvclient.jar file. See, How to Re-Enroll an Endpoint on an Endpoint Database.
  4. Verify if the certificate rotation proceeds.
  5. Check if the issue is resolved.

Probable Cause 2

The endpoint is no longer in use.

Solution

  1. Check if the endpoint is not in use. If so, delete or re-enroll the endpoint.
  2. Repeat the same action for all the inactive endpoints.
  3. Verify if the certificate rotation proceeds.
  4. Check if the issue is resolved.

Parent topic: Certificate Related Issues

C.6.3 Error When Configuring SSO

When configuring Single Sign On (SSO), Oracle Key Vault displays an invalid certificate error.

Probable Cause

An SSO provider certificate was uploaded that was signed by an Intermediate CA. Oracle Key Vault validates the provider certificate by using the openssl verify command. If the issuing chain (Intermediate and Root CA) is not present in the server’s system trust store, then the command fails, and Oracle Key Vault rejects the certificate.

Solution

  1. Create a file named sso_chain.pem that contains the Intermediate CA certificate followed by the Root CA certificate, in the correct order.
  2. Copy the file sso_chain.pem in the path:
    scp sso_chain.pem support@<OKV_IP_address>:/etc/pki/tls/cert/
  3. Log in to the Oracle Key Vault server as the support user.
  4. Switch to the root user.
    su - root
  5. Determine the certificate hash:
    cd /etc/pki/tls/certs
    openssl x509 -hash -noout -in sso_chain.pem
  6. Create a symbolic link using the hash value from step 5 (ensure the path is correct):
    ln -s /etc/pki/tls/certs/sso_chain.pem /etc/pki/tls/certs/<hash>.0

    Example: 

    ln -s /etc/pki/tls/certs/sso_chain.pem /etc/pki/tls/certs/3d19bb68.0
  7. Verify the signed provider certificate:
    openssl verify /path/to/signedcert.pem
  8. After the verification succeeds, retry the SSO configuration in Oracle Key Vault by using the signed certificate.

Parent topic: Certificate Related Issues