Background

A customer had a failure trying to update their SSL certificate for a web site running on Interstage Application Server V7 under Solaris 9. Their SSL certificate was about to expire and they generated a CSR using the SMEE tools and received an updated certificate from their CA.

Symptoms

When trying to add the new certificate using the nickname specified in the CSR, they got a 'nickname already exists' error. When they used a different nickname it showed a 'certificate already exists' error. When they tried to remove the existing certificate, they got a 'certificate not found' error.

Cause

It seems that the certificate environment was corrupted. This could be caused by the failure of an application while it was accessing the certificate environment. This application failure may cause the corruption of the certificate environment.

Fix

Fujitsu will be providing a patch for AppServer V7 in the future to stop this happening. AppServer V8 has this patch already applied.

Until the patch is available, the Fujitsu development team have created a tool (certmrecover_s) that can be used to recover the certificate environment. This tool can be obtained from Fujitsu support. There is some risk with using this tool so it will need to be requested from the support team when required. The support team can supply the instructions for using the tool.

Before using the tool the certificate environment should be backed up using the following commands (Solaris):

mkdir /backup/scs

cp -rp /export/home/sslcert /backup/scs

Once the certificate environment has been restored, then the new certificate can be registered. This should be done using a nickname for the certificate which not aready used.

Once the certificate is registered, make sure to change value of the 'SSLCertName' in the web server httpd.conf file to reflect the nickname of the new certificate.