Certificate present but not found

By lgrassi on Mon, 02/08/2021 - 15:59

Hi, I am trying to establish a communication link with partner and get following error
mendelson-opensource-AS4-170824162201-3802877@: [Inbound data processing] A problem occured during processing of inbound AS4 data (Module Processing , FailedAuthentication: EBMS:0101 [The certificate with the issuer "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K" and the serial "xxxxxx (dec), xxxxxx (hex)" is requested but does not exist in the system ([Security verification], signature verification)])
The certificate is imported in the Sign/Crypt store qith all the chain.
Any idea what it might be?

Forum
AS4

Comments

Submitted by lgrassi on Mon, 02/08/2021 - 16:03

I tried to install the new version on several machines but everywhere there is no way to open the Sign/Crypt store of certificates
Does it happen to you too?

Submitted by lgrassi on Tue, 02/16/2021 - 15:53

The certificate is indicated in the key store as
Issuer: C=US,O=Entrust\, Inc.,OU=See www.entrust.net/legal-terms,OU=(c) 2012 Entrust\, Inc. - for authorized use only,CN=Entrust Certification Authority - L1K

and the verify procedure is looking for
Issuer: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2012 Entrust, Inc. - for authorized use only", CN=Entrust Certification Authority - L1K

Profile picture for user service

Submitted by service on Thu, 02/18/2021 - 09:50

lgrassi,

these are two different issuers. Please ask your partner for the right certificate. As far as I remember in AS4 the partner could transfer the issuer to look for in the signature.

Regards

Submitted by lgrassi on Thu, 02/18/2021 - 11:36

I have already imported the certificate many times.
As you can see from the attached image, the serial number of the certificate it is looking for to verify the signature is the same as the certificate present in the keystore.
The certificate is also correct because the encryption uses the same certificate and works fine.

File attachments
certificate.jpg
Profile picture for user service

Submitted by service on Thu, 02/18/2021 - 11:53

lgrassi,

thats not the point. In AS4 there are 3 different ways for the message signer to signal to the receiver the certificate that should be used for the signature verification. This is the certificate issuer, the certificate subject or something called Subject Key Identifier (have forgotten what exactly this is, have to look it up if you are interested). Your partner has chosen to transmit the issuer. As this is not the one that is found in your underlaying keystore the system will not find the right certificate for the verification. Means either you dont have the right certificate or your partner has transmitted the wrong issuer in the signature that should be verified. The fingerprint or serial (what you looked for) is not relevant for the certificate selection on the receiver side if the signer sends the issuer - then its only the issuer. And this does not match.

Regards

Submitted by lgrassi on Tue, 03/09/2021 - 16:02

We have fixed the certificate issuer formatting, but the error is still present. Now we have the same issuer caption in the keystore and in the XML (see attach), is there any test we can do to find the source of the issue?
Thank you, kind regards

File attachments
cert.jpg