Troubleshooting PKI Services Manager Configuration
Use the PKI Services Manager test utility to determine if a certificate passes the validity tests. (Note: The certificate validation test applies only to end-entity certificates, not CA certificates. Valid CA-signed root and intermediate certificates will not pass the validation test.)
Review Certificate Attribute Requirements Enforced by PKI Services Manager to confirm that the certificate you are testing is valid.
If a valid certificate fails the validity test, check the following:
- Is PKI Services Manager correctly configured to point to your certificate store(s)? (In the console, check the search order on the Trusted Chain pane. In pki_config, check CertSearchOrder.)
- Has the required root CA been added to as a trust anchor? (In the console, check the trust anchor list on the Trusted Chain pane. In pki_config, check Trust Anchor.)
- Is certificate revocation correctly configured? Try turning revocation checking off to see if validation succeeds. (In the console, edit the search order on the Revocation pane. In pki_config, edit RevocationCheckOrder.) If you need to modify your revocation checking, review the settings on the Revocation pane. In pki_config, review RevocationCheckOrder, CRLServers, OCSPCertificate, and/or OCSPResponders.