WithSecure Policy Manager Proxy gives error "Error: CA certificate verification failed" or "RA not issued by CA", when running fspmp-enroll-tls-certificate.bat

Issue:

I executed fspmp-enroll-tls-certificate.bat for Policy Manager Proxy and it gives me the error "Error: CA certificate verification failed" or "RA not issued by CA".

Resolution:

This error can occur if the server's Simple Certificate Enrollment Protocol (SCEP) is not up to date. You can follow the steps below on the Policy Manager Server to resolve this:

Launch Command Prompt as administrator
Type net stop fsms and hit Enter to stop Policy Manager Server services
Delete the fspms.jks file from the Policy Manager Server installation folder (...\F-Secure\Management Server 5\data)

Note: Make a copy of the fspms.jks file as a backup

In Command Prompt, navigate to the folder mentioned in Step 3.

e.g. cd C:\Program Files (x86)\F-Secure\Management Server 5\data

Type the following command below one after another:

Note: When prompted for a password, type: superPASSWORD

C:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool.exe" -delete -alias fspm-ra-encryption -keystore fspms-ca.jks
C:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool.exe" -delete -alias fspm-ra-signing -keystore fspms-ca.jks

Note: If you installed the Policy Manager in a different directory, specify it accordingly with the command above

Type net start fsms and hit Enter to stop Policy Manager Server services

Last, you need to run the fspmp-enroll-tls-certificate.bat script located in the Policy Manager Proxy Server installation folder. (...\F-Secure\Management Server 5\bin\fspmp-enroll-tls-certificate.bat), and restart PMP service.

For Linux

The main issue is the CA certificate was updated, but SCEP certificates were not on the Policy Manager.

So to fix the issue we should delete Simple Certificate Enrollment Protocol (SCEP) certificates from fspms-ca.jks.

On Policy Manager Server machine:

   1) stop FSPMS service;
   2) delete fspms.jks ;
   3) run under data folder (/var/opt/f-secure/fspms/data/ ) next:
    - /opt/f-secure/fspms/jre/bin/keytool -delete -alias fspm-ra-encryption -keystore fspms-ca.jks
    - /opt/f-secure/fspms/jre/bin/keytool -delete -alias fspm-ra-signing -keystore fspms-ca.jks ;
   4) start FSPMS service

On Policy Manager Proxy machine :run fspmp-enrol- tls-certificate script (/opt/f-secure/fspms/bin/), and restart PMP service.

Article no: 000037300