F-Secure Policy Manager Proxy gives error "Error: CA certificate verification failed" or "RA not issued by CA", when running fspmp-enroll-tls-certificate.bat - F-Secure Community
<main> <article class="userContent"> <h3 data-version="7" data-article="000037300" data-id="issue">Issue:</h3> <p>I executed fspmp-enroll-tls-certificate.bat for Policy Manager Proxy and it gives me the error "Error: CA certificate verification failed" or "RA not issued by CA".</p> <h3 data-id="resolution">Resolution:</h3> <p></p><p>This error can occur if the server's Simple Certificate Enrollment Protocol (SCEP) is not up to date. You can follow the steps below on the Policy Manager Server to resolve this:</p> <ol><li><b>Launch</b> Command Prompt as administrator</li><li><b>Type</b> <i>net stop fsms</i> and hit <b>Enter </b>to stop Policy Manager Server services</li><li><b>Delete</b> the fspms.jks file from the Policy Manager Server installation folder (...\F-Secure\Management Server 5\data)</li></ol><div><b>Note:</b> Make a copy of the fspms.jks file as a backup</div> <ol start="4"><li>In Command Prompt, <b>navigate</b> to the folder mentioned in Step 3. </li></ol><div><i>e.g. cd C:\Program Files (x86)\F-Secure\Management Server 5\data </i></div> <ol start="5"><li><b>Type</b> the following command below one after another: </li></ol><div><b>Note: </b>When prompted for a password, type: <b>superPASSWORD</b></div> <ul><li>C:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool.exe" -delete -alias fspm-ra-encryption -keystore fspms-ca.jks</li><li>C:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool.exe" -delete -alias fspm-ra-signing -keystore fspms-ca.jks </li></ul><div><b>Note:</b> If you installed the Policy Manager in a different directory, specify it accordingly with the command above</div> <ol start="6"><li><b>Type</b> net start fsms and hit Enter to stop Policy Manager Server services</li></ol> Last, you need to run<b> </b>the fspmp-enroll-tls-certificate.bat script located in the Policy Manager Proxy Server installation folder. (...\F-Secure\Management Server 5\bin\fspmp-enroll-tls-certificate.bat). <p>Article no: 000037300</p> </article> </main>