Getting error: -1233 when importing a VeriSign certificate via Console One.

  • 3815533
  • 23-Jul-2007
  • 06-Jun-2012

Environment

Novell NetWare 6.5 Support Pack 2
Novell ConsoleOne 1.3.6c
Novell iManager 2
Novell Certificate Server 2.43

Situation

Getting error: -1233 when importing a VeriSign certificate via Console One.

Resolution

Select the correct KMO object then complete the import.
If the original KMO object was deleted a new one will have to be created and the CSR process will need to be re-run.

Additional Information

This indicates that the signed certificate returned by VeriSign was for a different KMO object than the one originally used for the Certificate Signing Request (CSR).
The easiest way to verify that the correct KMO is being used for the correct signed certificate is via the following steps:

1. Using iMonitor (https://x.x.x.x:8009 then select iMonitor) examine the NDSPKI:Public Key attribute on the KMO object. Write down the last two lines of hexadecimal shorts of the value as shown in hex:
00110 55 BC 01 7F 85 55 9F DC BD 32 00 F5 C5 85 9E 1B - This is the second to last line
00120 55 02 03 01 00 01 U..... - This is the last line.

2. Now open email sent from Verisign. Copy and paste the certificate into Notepad and save as a signed.cer file. Copy from the first dash in the Begin Certificate section to the last dash in End Certificate:

-----BEGIN CERTIFICATE-----
MIIDyTCCA3OgAwIBAgIQXcgZQQ1touLou4LCROOVwzANBgkqhkiG9w0BAQUFADCB
BTEWMBQGA1UEChMNVmVyaVNpZ24sIEluYzFHMEUGA1UECxM+d3d3LnZlcmlzaWdu
LmNvbS9yZXBvc2l0b3J5L1Rlc3RDUFMgSW5jb3JwLiBCeSBSZWYuIExpYWIuIExU
RC4xRjBEBgNVBAsTPUZvciBWZXJpU2lnbiBhdXRob3JpemVkIHRlc3Rpbmcgb25s
MjEzMjM1OTU5WjCBhDELMAkGA1UEBhMCdXMxDTALBgNVBAgTBHV0YWgxDjAMBgNV
BAcUBXByb3ZvMRYwFAYDVQQKFA1IVjZQQUNLVFJFRTFhMRUwEwYDVQQLFAxIZWFk
cXVhcnRlcnMxJzAlBgNVBAMUHmh2YXVnaGFuc3ZyLTQucHJvdm8ubm92ZWxsLmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALp9YVjmywv8VkZxv4ux
tfhg+bK+zvo7+HDkeDA0NVsA0bsCoil/T2CZlDkGWcnUlOW0yiSDZfq3XqooPkrO
x57OAnzJYGMlvRsrj12Gi7cTalXR7oiSppIfmfJ8NUSv7DCUzxajRwUOY1EbUYg8
yJ3qkYowUzL4Q7nB54cSy9HVwvIQzReIlN6RLb5OZQjKLEU2a07PmEcSduii0t8/
ZaoY5o7oogiK4pOYMAVilMkdPm61J87Ftw5h6kA9iHFhZxYf+/p2vS8w6VvXX/gg
ToTHGzdXgaFo2FdzveARPRXl9ftjJCDaUdaSmX6cC+HvVbwBf4VVn9y9MgD1xYWe
G1UCAwEAAaOB0TCBzjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDBCBgNVHR8EOzA5
MDegNaAzhjFodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9TZWN1cmVTZXJ2ZXJUZXN0
aW5nQ0EuY3JsMFEGA1UdIARKMEgwRgYKYIZIAYb4RQEHFTA4MDYGCCsGAQUFBwIB
FipodHRwOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1Rlc3RDUFMwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA0EATg7X
K+75fMyzkfPH7zzR340Qj/x/H1HjxpdMW0tLeREtwDnakFKkswtGfqKojC/Xg+r4
hZzbBkzAtzw9Gxp5Ig==
-----END CERTIFICATE-----

3. Save this file as signed.cer

4. Double click on this file using Windows explorer. This brings up the Certificate dialog window. Then select Details - Public Key.

5. Write down the last two lines of the value displayed
D692 997E 9C0B E1EF 55BC 017F 8555 9FDC
BD32 00F5 C585 9E1B 5502 0301 0001



6. Compare the two to see if they match
00110 55 BC 01 7F 85 55 9F DC BD 32 00 F5 C5 85 9E 1B
00120 55 02 03 01 00 01
U.....

D692 997E 9C0B E1EF 55BC 017F 8555 9FDC
BD32 00F5 C585 9E1B 5502 0301 0001

If they do not match either the wrong signed cert is being used, the wrong kmo object is being used or the original object has been deleted.



Formerly known as TID# 10095625
NOVL99973