Troubleshooting

(-8973) Could not connect to the Entrust Certificate Authority service. Certificate Authority service may not be running

The Entrust service is not running in the Entrust Authority Master Control shell (entsh$).

Resolution:

  1. Open the Master Control shell (entsh$).

  2. Log in with Master1.

  3. Run Service Start.

Error encountered querying CA hardware

When you are configuring Certificate Authority, you see the following message:

Are you using a hardware device for the CA keys (y/n) ? [n] y

Enter the pathname for the CryptokiLibrary.
[/opt/nfast/toolkits/pkcs11/libcknfast.so] >

Error encountered querying CA hardware.

Resolution:

  1. Make sure you have an operator card set in the HSM.

  2. Once that is in place, the script should be able to see the HSM.

(-77) Problem reported with crypto hardware

When you are initializing Certificate Authority, you see the following message:

Initialization starting; creating ca keys...
(-77) Problem reported with crypto hardware.
GenerateKeyPairX509
Press return to exit

Resolution:

  1. Make sure that the following variable in the cnkfastrc file is set to 1.

    CKNFAST_LOADSHARING=1

(-2229) An error occurred. Check the service status and manager logs for details

This is a timeout issue.

Resolution:

  1. Log in to entsh$.

  2. Run service status.

  3. If the service is shown as down, start it by running service start.

If you are using an nShield Edge, see configure-certificate-authority.adoc#nshield-edge-preconfig.

HSM logs show missing algorithms errors that are not configured by Certificate Authority during startup

Certificate Authority performs a FIPS Self-Test where many algorithms and functions beyond those explicitly configured to be used once operational. These tests are required by FIPS 140 conformance.

Resolution:

  1. If algorithms are not available during self-test, Certificate Authority treats this as informational only.

  2. FIPS Self Tests HSM log errors do NOT stop Certificate Authority startup.

No Hardware Device Found

During the configuration of Entrust Certificate Authority, the message "No Hardware Device Found" pops up every time, even if the right library is selected.

Resolution:

  1. Make sure the entconfig.ini and entrust.ini both have the correct PKCS#11 library setting.

  2. Ensure that any HSM service is running.

(-2684) General hardware error

HSM Service is not available.

Resolution: Ensure that any HSM service is running and responding.

nShield Edge Cluster Status

Ensure that the entMgr.ini file is as defined in configure-certificate-authority.adoc#nshield-edge-preconfig.

The nShield Edge exhibits slower service startup times with respect to operations, which is to be expected. When checking the cluster status after initial set-up, you may encounter services with a "down" status or an "unknown" cluster status. To ensure proper initialization of the cluster and services, Entrust recommends allowing a few minutes for the system to complete the process. After sufficient time has passed, the services and cluster should display the correct status.

In some cases you will need to start the cluster manually. For example:

entsh$ cluster status
ca_wide_entry   disabled
localhost       enabled	    quiescent **LOCAL**

entsh$ cluster start
Starting cluster...

entsh$ cluster status
ca_wide_entry   enabled
localhost       enabled	    quiescent **LOCAL*
For more information regarding the cluster status, refer to s 10.0 Cluster Management Guide Issue 4.0, which is available on the Entrust TrustedCare Portal.

pg_port error

pg port error

Resolution: Install and configure PostgreSQL before you configure Certificate Authority.