Could not sign CSR Caused by: java.io.IOException: Cannot obtain certificate from certsrv authority: 403 Forbidden

Could not sign CSR Caused by: java.io.IOException: Cannot obtain certificate from certsrv authority: 403 Forbidden

book

Article ID: CTX218425

calendar_today

Updated On:

Description

After configuring Client Certificate Authentication for XMS but the Client Certificate Request on the both the XMS and Issuing Server is returning a HTTP Response 403 Frobidden

com.zenprise.zdm.pki.spi.IssuingServiceException: Could not sign CSR
    at com.zenprise.zdm.pki.internal.util.AbstractIssuingAdapter.issueDirect(AbstractIssuingAdapter.java:147)
    at com.zenprise.zdm.pki.internal.util.AbstractIssuingAdapter.issueCredential(AbstractIssuingAdapter.java:92)
    at com.citrix.cdg.CommonDeviceGatewayBiz.getAgUserAuthCredential(CommonDeviceGatewayBiz.java:195)
Caused by: com.sparus.nps.pki.CertificateSigningException: Could not sign certificate
    at com.zenprise.zdm.pki.util.MsCertSrvSigningService.signRequest(MsCertSrvSigningService.java:107)
    at com.zenprise.zdm.pki.util.CredentialCaFactory$CredentialCa.sign(CredentialCaFactory.java:204)
    at com.zenprise.zdm.pki.internal.util.AbstractIssuingAdapter.issueDirect(AbstractIssuingAdapter.java:137)
Caused by: java.io.IOException: Cannot obtain certificate from certsrv authority: 403 Forbidden
    at com.sparus.nps.pki.connector.MsCertSrvConnector.generateClientIdentity0(MsCertSrvConnector.java:252)
    at com.sparus.nps.pki.connector.MsCertSrvConnector.generateClientIdentity(MsCertSrvConnector.java:207)
    at com.zenprise.zdm.pki.util.MsCertSrvSigningService.signRequest(MsCertSrvSigningService.java:90)

Resolution

If you see this error within the Debug Log File verify if:

The Service Account certificate used by XMS to request a New Client Certificate is still valid and not revoked.
To test this, install that same Service Account certificate within the local certificate store on a Windows desktop and hit the /certsrv/ page of the issuing Server from Internet Explorer.
As the /certsrv/ site will be set to "Accept" or "Require" a Certificate to authenticate the SA will present the cert in the above test when issued with the 401 challenge for the /certsrv/ site. If you recieve the same response 403 then there is an issue with either the Certificate that is signing the SA user cert, the user cert itself is expired or there is a seperate issue with the CA and how it handles the authentication request

NOTE: If Internet Explorer prompts you with credentials instead of the certificate, very these 2 things:
a) Is the certificate installed within the MMC Snap-In correctly under the “Current User” personal certificate store
b) Disable “Integrated Windows Authentication” within Internet explorer options

Problem Cause

Issuing Server responding with a 403 Forbidden (blanket 'NO'), with no further discussion allowed

Issue/Introduction

After configuring Client Certificate Authentication for XMS but the Client Certificate Request on the both the XMS and Issuing Server is returning a HTTP Response 403 Frobidden
Powered by Wolken Software