7.3 Troubleshooting Options for Certificate Problems

If certificate problems are reported after upgrading or replacing certificates or after restoring a device, use the following options to solve the problem:

Verifying Certificates after Upgrading or Restoring

Certificate commands are generated when you upgrade the Administration Console and when you restore a device. You should ensure that they have completed successfully.

  1. In the Administration Console, click Security > Command Status to determine whether a certificate command has failed.

  2. Note the destination trust store or keystore of any failed command.

  3. Click Auditing > Troubleshooting > Certificates.

    The Certificates page displays all the keystores and trust stores configured for Access Manager.

  4. Select the store, then click Re-push certificates.

    This pushes all assigned certificates to the store. You can re-push certificates multiple times without causing any problems.

Validating Trusted Root Certificates after Replacing Certificates

When you replace certificates, you should validate that the Identity Server configuration is storing a valid trusted root for the Access Gateways or SSL VPN servers that are using the Identity Server for authentication. You should also validate that the Access Gateway cluster and SSL VPN cluster are storing a valid trusted root for the Identity Server.

You cannot use the following process to validate that the Identity Server and J2EE agents are storing valid trusted roots for each other.

To validated the availability of required trusted root certificates:

  1. In the Administration Console, click Auditing > Troubleshooting > Certificates.

    The Certificates page displays all the keystores and trust stores configured for Access Manager.

  2. Validate the trusted root certificates of the Identity Server configuration:

    1. Select one of the following keystores that belong to the NIDP Configuration device:

      • Signing

      • Encryption

      • SSL Connector

      • Provider Introductions SSL Connector

      • Consumer Introductions SSL Connector

    2. Click Validate trusted root.

    3. If an error is reported, add the missing trusted root to a trust store.

      To identify the trust store, check the ESP Trust Store of the devices that are using the Identity Server for authentication. For instructions, see the following sections:

      Section 3.4.5, Viewing Trust Store Details

      Section 3.4.2, Adding Trusted Roots to Trust Stores

    4. Repeat Step 2.a and Step 2.c for each keystore that you want to validate.

  3. Validate the trusted root certificates of the Access Gateway cluster or the SSL VPN cluster:

    1. Select one of the following keystores that belong to the cluster:

      • Signing

      • Encryption

      • ESP Mutual SSL

    2. Click Validate trusted root.

    3. If an error is reported, add the missing trusted root to the Trust Store of the Identity Server.

      For instructions, see Section 3.4.2, Adding Trusted Roots to Trust Stores.

    4. Repeat Step 3.a and Step 3.c for each keystore that you want to validate.