Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Knowledge Partner
Knowledge Partner
798 views

Max. number of certificates?

Trying to replace our old/expiring wildcard SSL Certificate that's also used in our encryption and signing keystores.

When I go into the 4.2 Admin console, select the old SSL Cert -> Devices, click Encryption keystore, it shows one cert. The old on.
I click the box and select "replace"

I then select the new Cert.

I click OK

and get this error:

Error adding one or more certificates to the keystore: The maximum number of keys has already been added to the keystore (~tmp_4806846fa58ab912-encryption).
0 Likes
5 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Max. number of certificates?


kjhurni;268226 Wrote:
>
> and get this error:
>
> > Error adding one or more certificates to the keystore: The maximum
> > number of keys has already been added to the keystore
> > (~tmp_4806846fa58ab912-encryption).
> >

>


Is there anything more meaningful in the app_sc log?


--
edmaa
------------------------------------------------------------------------
edmaa's Profile: https://forums.netiq.com/member.php?userid=1118
View this thread: https://forums.netiq.com/showthread.php?t=55949

0 Likes
Knowledge Partner
Knowledge Partner

Re: Max. number of certificates?

edmaa;2430054 wrote:
kjhurni;268226 Wrote:
>
> and get this error:
>
> > Error adding one or more certificates to the keystore: The maximum
> > number of keys has already been added to the keystore
> > (~tmp_4806846fa58ab912-encryption).
> >

>


Is there anything more meaningful in the app_sc log?


--
edmaa
------------------------------------------------------------------------
edmaa's Profile: https://forums.netiq.com/member.php?userid=1118
View this thread: https://forums.netiq.com/showthread.php?t=55949


Not really, IMO. Just a regurgitation of the same error:

1440447(D)2016-05-27T13:24:03Z(L)application.sc.defaultExecutor(T)36(C)com.volera.vcdn.platform.executor.PriorityExecutor(M)logInfo(Msg)Priority Queue - Size: 1
1440448(D)2016-05-27T13:24:03Z(L)application.sc.defaultExecutor(T)17(C)com.volera.vcdn.platform.executor.PriorityExecutor(M)logInfo(Msg)Priority Queue - Picked up work com.volera.vcdn.application.sc.core.work.CertUpdateWork@29922baa
1440449(D)2016-05-27T13:24:12Z(L)webui.sc(T)321475(C)com.volera.roma.app.handler.CertHandler(M)addKeyToKeystore(Msg)In addKeyToKeystore - updating ~tmp_4806846fa58ab912-encryption
1440450(D)2016-05-27T13:24:12Z(L)webui.sc(T)321475(C)com.volera.roma.app.handler.CertHandler(M)addKeyToKeystore(Msg)<amLogEntry> 2016-05-27T09:24:12Z DeviceManager: AM#700901017: Error - Adding key (wildcard-BLAH) to keystore (~tmp_4806846fa58ab912-encryption) because the maximum number of keys has been reached. </amLogEntry>

1440451(D)2016-05-27T13:24:12Z(L)webui.sc(T)321475(C)com.volera.roma.app.handler.CertHandler(M)handleException(E)java.lang.Exception: The maximum number of keys has already been added to the keystore (~tmp_4806846fa58ab912-encryption).
at com.volera.roma.app.handler.CertHandler.addKeyToKeystore(y:1389)
at com.volera.roma.app.handler.CertHandler.addKeyToKeystore(y:241)
at com.volera.roma.app.handler.CertHandler.doAddMultipleKeysToKeystores(y:2843)
at com.volera.roma.app.handler.CertHandler.processRequest(y:2466)
at com.volera.roma.servlet.GenericController.doPost(y:394)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:612)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at com.novell.accessmanager.tomcat.SynchronizationValve.invoke(y:2141)
at com.novell.accessmanager.tomcat.SynchronizationValve.invoke(y:2141)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
(Msg)<amLogEntry> 2016-05-27T09:24:12Z SEVERE DeviceManager: AM#100901025: Error - In handleException (Unable to get the Exception's cause because it is null) </amLogEntry>

1440452(D)2016-05-27T13:24:18Z(L)application.sc.defaultExecutor(T)36(C)com.volera.vcdn.platform.executor.PriorityExecutor(M)logInfo(Msg)Priority Queue - Adding com.volera.vcdn.application.sc.core.work.CertUpdateWork@29922baa
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Max. number of certificates?

kjhurni wrote:


> > 2016-05-27T09:24:12Z DeviceManager: AM#700901017: Error - Adding
> > key (wildcard-dec_ny_gov) to keystore
> > (~tmp_4806846fa58ab912-encryption) because the maximum number of
> > keys has been reached. </amLogEntry>
> >
> > 1440451(D)2016-05-27T13:24:12Z(L)webui.sc(T)321475(C)com.volera.roma
> > .app.handler.CertHandler(M)handleException(E)java.lang.Exception:
> > The maximum number of keys has already been added to the keystore
> > (~tmp_4806846fa58ab912-encryption). at
> > com.volera.roma.app.handler.CertHandler.addKeyToKeystore(y:1389)
> > at com.volera.roma.app.handler.CertHandler.addKeyToKeystore(y:241)
> > at


Not sure about this one Kev. You're not using the appliance right?

--
Cheers,
Edward
0 Likes
Knowledge Partner
Knowledge Partner

Re: Max. number of certificates?

Edward van der Maas;2430180 wrote:
kjhurni wrote:


> > 2016-05-27T09:24:12Z DeviceManager: AM#700901017: Error - Adding
> > key (wildcard-dec_ny_gov) to keystore
> > (~tmp_4806846fa58ab912-encryption) because the maximum number of
> > keys has been reached. </amLogEntry>
> >
> > 1440451(D)2016-05-27T13:24:12Z(L)webui.sc(T)321475(C)com.volera.roma
> > .app.handler.CertHandler(M)handleException(E)java.lang.Exception:
> > The maximum number of keys has already been added to the keystore
> > (~tmp_4806846fa58ab912-encryption). at
> > com.volera.roma.app.handler.CertHandler.addKeyToKeystore(y:1389)
> > at com.volera.roma.app.handler.CertHandler.addKeyToKeystore(y:241)
> > at


Not sure about this one Kev. You're not using the appliance right?

--
Cheers,
Edward


No, the regular good 'ol 3 box method (LOL). Of course, this worked fine in the test lab, and the Dev Lab, and then pukes in Prod.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Max. number of certificates?

Well finally got this resolved with NTS help.

Basically the encryption keystore can have only ONE certificate (which is why when you go into the keystore, there's only the "replace" option).
Somehow, when the original Wildcard SSL cert was added, it got an alias of the name of the Cert, instead of (apparently) the NetIQ expected: encryption
Apparently it can ONLY have that alias or else it won't let you replace it.

The ~tmp_blahlah
is an actual eDir object in the NAM eDir instance. Basically edited it to remove the <alias> portion and then it let us delete it and replace it.

Could've been a bug in past versions of NAM, as supposedly it's not supposed to let you change the alias for encryption keystore.

(although when you go to replace it, the Admin Console GUI does appear to let you be able to change that alias name that's pre-populated, but obviously I had no desire to try it).
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.