C.6 Certificate Related Issues

Review these troubleshooting tips for common certificate-related issues when working with Oracle Key Vault.

C.6.1 Unable to Upload Console Certificates

Uploading console certificates fails, and an error message is displayed.

Example

Uploading console certificates fails with:

Error: Failed to upload certificate file. Certificate is not compatible with server.

Probable Cause

Console certificates are not uploaded as platform certificates may have expired.

Solution

  1. Check the validity of the following platform certificates:
    • openssl x509 -in /usr/local/dbfw/etc/ca.crt -enddate -noout
    • openssl x509 -in /usr/local/dbfw/etc/cert.crt -enddate -noout
    • openssl x509 -in /etc/pki/tls/certs/localhost_internal.crt -enddate -noout
    • openssl x509 -in /etc/pki/tls/certs/avs_generated_ui.crt -enddate -noout
    • openssl x509 -in /etc/pki/tls/certs/localhost.crt -enddate -noout
    • openssl x509 -in /usr/local/dbfw/etc/avs/avs_apex_client.crt -enddate -noout
    • openssl x509 -in /usr/local/dbfw/etc/ha_partner.crt -enddate -noout
  2. If any of the above certificates have expired, perform the steps in the following article: Rotating Expired Platform Certificates.
  3. After the platform certificates are validated, generate the console certificate CSR, sign it and then upload the console certificate.

C.6.2 Updating to Current Certificate Issuer

While the Oracle Key Vault CA certificate rotation is in progress, the endpoint's status remains as Updating in Progress for many days. The CA certificate rotation process may be stalled if there are several endpoints in the Updating in Progress state.

Example

Probable Cause 1

No recent activity from the endpoint.

Solution

  1. In the endpoint, go to $OKV_HOME/bin, and run the okvutil list command multiple times.
    $OKV_HOME/bin/okvutil list -v 4
  2. If the preceding command returns data then:
    1. Verify if $OKV_HOME/ssl is updated with the new certificates. A new directory is created under $OKV_HOME/ssl that contains ewallet.p12.
    2. Verify the endpoint status in the Oracle Key Vault management console.
    3. If the endpoint status still shows Update in Progress, then contact Oracle support.

      Note:

      In a multi-master cluster environment, the endpoint may not connect to the node where the new endpoint certificates are generated.
  3. If the okvutil command fails with an error, re-enroll the endpoint, download and install the okvclient.jar file. See, How to Re-Enroll an Endpoint on an Endpoint Database.
  4. Verify if the certificate rotation proceeds.
  5. Check if the issue is resolved.

Probable Cause 2

The endpoint is no longer in use.

Solution

  1. Check if the endpoint is not in use. If so, delete or re-enroll the endpoint.
  2. Repeat the same action for all the inactive endpoints.
  3. Verify if the certificate rotation proceeds.
  4. Check if the issue is resolved.