Veridium RA server can't reach Certification Authority

Symptoms

After successful Veridium authentication, Credential Provider is showing error message "Unable to obtain certificate for login."

image-20230324-192628.png

Note: this error may have different root causes, this is only one of these. Check following text to find the correct one based on detailed log.

There is a following event registered on the Client machine:

Event Source: Veridium-BopsCP
EventID: 50201
Severity: Information
Event body:
{
"Module": "RESTApi",
"Method": "GetRACertificate",
"UserName":"DEV\milos",
"Messages":{},
"URL":"https://dev-dc2.dev.local/RaWebApp/api/BopsCertificate",
"InputJSON":{"bopsShortLiveTok.....":..."","bopsToken":"...","bopsUpn":""},
"OutputJSON":{"FasUserHandler":nu..."Issu...":null,"IssuedCertificatePassword":null,"error":{"Hresult":-2147467259,"UUID":"0f1fb518-9455-45a0-9b72-e6a4eb65d7e1","errorCode":50101,"errorDescription":"RA Error: Error enrolling certificate"}},
"Return":{
"ReturnCode":50101, "Description": "RA Error: Error enrolling certificate"
},"ActivityStartTime": "",
"ActivityEndTime" : "",
"Duration" : 8317,
"Version" : "3.1.0.0"
}

and

Event Source: Veridium-BopsCP
EventID: 0
Severity: Error
RA Error: Error enrolling certificate

Root cause and Resolution

Final root cause and resolution is based on event log entry on VeridiumRA. See following detailed events and its resolution:

on Veridium RA server, there is a following event:

  • Event Source: VeridiumRA

  • EventID: 300

  • Severity: Error

Based on following table, continue on corresponding root cause and resolution:

Symptom:
VeridiumRA Event on RA server contains following text:

Root cause

Resolution

CCertRequest::Submit: The RPC server is unavailable

Certification authority is not reachable.
Open C:\Program Files\VeridiumID\RAEPServer\RaWebApp\web.config and look for
<add key="CAConfig" value="dev-dc1.dev.local\dev-DEV-DC1-CA-1" />
Check if CA is available by executing command:
certutil -ping -config "dev-dc1.dev.local\dev-DEV-DC1-CA-1"

image-20230324-192926.png

Check if CA is started and available.

Signer certificate not found

Enrollment agent certificate not found.
Start Veridium EA/EP Configuration and check status of the Enrollment Agent certificate:

image-20230324-193019.png

Select Certificate Template for Enrollment Agent certificate and select Certification Authority.
Click Enroll Certificate button to request new Enrollment Agent certificate.

image-20230324-193035.png

GetCertificate - Exception:System.Exception: Access Denied enrolling for certificate

Problem with access rights to Certification Authority and certificate enrollment:

Check following:

  1. Verify that Certificate Template selected Veridium RA/EP Configuration -> User certificate template->Selected certificate template is present on list of allowed certificate template on Certification Authority:

    image-20230324-193212.png


  2. Verify that in CA Properties->Security tab, the Veridium RA server is allowed to Request Certificates and Issue and Manage Certificates:

    image-20230324-193230.png


  3. Open the Certificate Authority Manager (certsrv.msc). Expand the selection for your CA. Right-click Certificate Templates and click Manage.

  4. Select template for user certificate (default name is BopsUser). Right-click selected template and select Properties. Go to Security tab. Verify, that RA server has rights to Read and Enroll:

    image-20230324-193300.png