C.6 Certificate Related Issues

Review these troubleshooting tips for common certificate-related issues when working with Oracle Key Vault.

• Updating to Current Certificate Issuer
  While the Oracle Key Vault CA certificate rotation is in progress, the endpoint's status remains as Updating in Progress for many days. The CA certificate rotation process may be stalled if there are several endpoints in the Updating in Progress state.

C.6.1 Updating to Current Certificate Issuer

While the Oracle Key Vault CA certificate rotation is in progress, the endpoint's status remains as Updating in Progress for many days. The CA certificate rotation process may be stalled if there are several endpoints in the Updating in Progress state.

Example

Probable Cause 1

No recent activity from the endpoint.

Solution

1. In the endpoint, go to $OKV_HOME/bin, and run the okvutil list command multiple times.

   $OKV_HOME/bin/okvutil list -v 4

2. If the preceding command returns data then:
   1. Verify if $OKV_HOME/ssl is updated with the new certificates. A new directory is created under $OKV_HOME/ssl that contains ewallet.p12.
   2. Verify the endpoint status in the Oracle Key Vault management console.
   3. If the endpoint status still shows Update in Progress, then contact Oracle support.

      Note:

      In a multi-master cluster environment, the endpoint may not connect to the node where the new endpoint certificates are generated.
3. If the okvutil command fails with an error, re-enroll the endpoint, download and install the okvclient.jar file. See, How to Re-Enroll an Endpoint on an Endpoint Database.
4. Verify if the certificate rotation proceeds.
5. Check if the issue is resolved.

Probable Cause 2

The endpoint is no longer in use.

Solution

1. Check if the endpoint is not in use. If so, delete or re-enroll the endpoint.
2. Repeat the same action for all the inactive endpoints.
3. Verify if the certificate rotation proceeds.
4. Check if the issue is resolved.