|
|
|
Using the test tool for a certificate authentication scheme sometimes fails, even if it works typically (through a browser and the web server). The authentication log shows that the test tool expects an attribute of the issuer DN appears from the Issuer DN in the certificate.
This situation occurs when the issuer DN and other attributes differ according to the type of certificate-generation tool used. For example, The certutil.exe program on an IIS web server could possibly use ST= to abbreviate the name of the state in the issuer DN. The OpenSSL tools on an Oracle iPlanet web server, however, could possibly use S= to abbreviate the name of the state.
Note: For more information about the actual values used by a specific certificate-generation tool, see the documentation provided by the vendor of your certificate-generation tool.
The situation is similar for the other attributes listed in Certificate Attributes that Require Custom Mappings.
To resolve this problem, have an administrator create mappings for each Issuer DN format in the Policy Sever. Then, the Policy Sever can accept the Issuer DN formats created by different certificate-generation tools.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |