Troubleshooting PKI Services Manager Configuration

Use the PKI Services Manager test utility to determine if a certificate passes the validity tests. (Note: The certificate validation test applies only to end-entity certificates, not CA certificates. Valid CA-signed root and intermediate certificates will not pass the validation test.)

• Check Validity and Mapping on Windows
• Check Validity and Mapping on UNIX

Review Certificate Attribute Requirements Enforced by PKI Services Manager to confirm that the certificate you are testing is valid.

If a valid certificate fails the validity test, check the following:

• Is PKI Services Manager correctly configured to point to your certificate store(s)? (In the console, check the search order on the Trusted Chain pane. In pki_config, check CertSearchOrder.)
• Has the required root CA been added to as a trust anchor? (In the console, check the trust anchor list on the Trusted Chain pane. In pki_config, check Trust Anchor.)
• Is certificate revocation correctly configured? Try turning revocation checking off to see if validation succeeds. (In the console, edit the search order on the Revocation pane. In pki_config, edit RevocationCheckOrder.) If you need to modify your revocation checking, review the settings on the Revocation pane. In pki_config, review RevocationCheckOrder, CRLServers, OCSPCertificate, and/or OCSPResponders.