Error 49934 attempting to create Certificate

  • 7002686
  • 18-Feb-2009
  • 26-Apr-2012

Environment

Novell eDirectory 8.8 for All Platforms
Novell NetWare 6.5 Support Pack 8
Novell Certificate Server (PKIS)

Situation

Error 49934 when attempting to create a certificate.

Attempting to upgrade or migrate a NetWare 5.1 server to NetWare 6.5 SP8.

During the migration there were some errors, however the migration completed successfully. 

Note: After the migration, an attempt to install iManager 2.7 failed.  Further investigation showed that although the Tree CA was recreated and its keys would validate, no new certificates could be created.  Error 49934 would be returned from ConsoleOne and could also be seen in DSTrace with the +PKI flag.

Resolution

Deleting the SYS:\SYSTEM\certserv directory on the migrated server will resolve the problem.   This MUST be done on the server that is the host for the Tree CA object.  You can determine the host for the Tree CA by looking at the details of the tree CA object, either from just browsing to it in the Security container, or from the Novell Certificate Server role, select the Configure Certificate Authority task, and on the General tab, it will show the host server for the CA.

Once you delete or rename the certserv directory, unload and reload PKI.nlm on the server hosting the Tree CA.
Now, on the next attempt to create new certificates, Certificate Server (PKI) will recreate the certserv directory and database files that are needed. 


NOTE:  It is really only safe to do this if you are not using CRLs on your certificates in your tree.  If you are using CRLs, then deleting this data will cause previously revoked certificates to become valid again.


Note: It may be sufficient to delete or rename the cert.01 file in the SYS:\SYSTEM\certserv directory.  Deleting the entire directory is fine as all the files needed by Certificate Server will be recreated properly if they are missing.  DSTrace may also show some -603 or -1418 errors.

On Linux, delete all of the cert* files and directories under the /var/opt/novell/eDirectory/data/dib directory. Make sure you only delete the files and directories that start with the name cert. Backup these files and directories first.

Status

Reported to Engineering

Additional Information

Attempting to create a new certificate errors with the error 49934.

The 49934 error converts to 0xC30E, which is FERR_NICI_UNWRAPKEY_FAILED. 

This error in this case is indicating that the certificate database cannot be opened and read properly.  Though it is not currently known why, a problem occurred during the migration process, and files in the sys:system/certserv/ directory are left from the pre-migration installation, and are now invalid for the new tree.

This has been seen during the migration process from older versions of NetWare to latest NetWare 6.5 SP8.


Attempting to create a new certificate gives the following snippet from a DSTrace file with the PKI flag enabled:

PKI : [2009/02/17 14:49:52.856] Entering openCertificateDatabase 
PKI : [2009/02/17 14:49:53.47] openCertificateDatabase: FlmDbOpen 49934
PKI : [2009/02/17 14:49:53.47] openCertificateDatabase: exiting with 49934 
PKI : [2009/02/17 14:49:53.47] createKPandCert() completed.  ccode = 49934
PKI : [2009/02/17 14:49:53.47] Entering PKI_DeleteKMO()...
PKI : [2009/02/17 14:49:53.83] PKI_DeleteKMO: KMO deleted.
PKI : [2009/02/17 14:49:53.83] createServerCertificate: KMO deleted....
PKI : [2009/02/17 14:49:53.83] createServerCertificate() completed. rc = 49934
PKI : [2009/02/17 14:49:53.83] PKI_CreateKeyPair() completed.  rc = 49934
PKI : [2009/02/17 14:49:53.83] Exiting _PKICreateKeyPair: err = 49934
PKI : [2009/02/17 14:49:53.83] PKIVerbHandOff returned 49934
PKI : [2009/02/17 14:49:53.83] DS Context context is 3f51000f
PKI : [2009/02/17 14:49:53.83] Freeing DS Context 
PKI : [2009/02/17 14:49:53.83] Exiting PKIVerbHandOff rc = 49934 
PKI : [2009/02/17 14:49:53.83] Exiting PKIWireRequest err = 49934