Troubleshooting

(-8973) Could not connect to the Entrust Certificate Authority service. Certificate Authority service may not be running

The Entrust Certificate Authority service is not running.

Resolution:

  1. Launch the Entrust Certificate Authority shell.

  2. Log in with Master1.

  3. Run Service Start.

Error encountered querying CA hardware

The following error appears while configuring the Entrust Certificate Authority.

Are you using a hardware device for the CA keys (y/n) ? [n] y

Enter the pathname for the Cryptoki Library.
[/opt/nfast/toolkits/pkcs11/libcknfast.so] >

Error encountered querying CA hardware.

Resolution:

(-77) Problem reported with crypto hardware

The following error appears while initializing the Entrust Certificate Authority.

Initialization starting; creating ca keys...
(-77) Problem reported with crypto hardware.
GenerateKeyPairX509
Press return to exit

Resolution:

  • Verify the following variable is set to 1 in the %NFAST_HOME%\cknfastrc file, by default C:\Program Files\nCipher\nfast\cknfastrc.

    CKNFAST_LOADSHARING=1

(-2229) An error occurred. Check the service status and manager logs for details

This is a timeout issue.

Resolution:

  1. Launch the Entrust Certificate Authority shell.

  2. Run service status.

  3. If the service is down, start it by running service start.

If you are using an Entrust nShield Edge, see configure-certificate-authority.adoc#nshield-edge-preconfig.

HSM logs show errors for algorithms not configured

The Entrust Certificate Authority performs a FIPS self-test beyond the algorithms and functions explicitly configured, a requirement for FIPS 140 conformance.

Resolution:

  • The Entrust Certificate Authority treats these errors as informational only.

  • FIPS self-test HSM log errors do NOT stop the Entrust Certificate Authority startup.

No hardware device found

During the configuration of the Entrust Certificate Authority, the error message No Hardware Device Found comes up.

Resolution:

  1. Ensure the nFast services are running.

  2. Ensure the preload session is established per configure-certificate-authority.adoc#establish-preload-session.

  3. In the C:\Program Files\Entrust\Certificate Authority\etc\ini\entconfig.ini file, ensure the variable CryptokiV2LibraryNT contains the full path to the PKCS #11 library of the Entrust nShield HSM, by default C:\Program Files\nCipher\nfast\toolkits\pkcs11\cknfast.dll.

(-2684) General hardware error

The Entrust nShield HSM is not available.

Resolution:

  1. Ensure the nFast services are running.

  2. Ensure the preload session is established per configure-certificate-authority.adoc#establish-preload-session.

  3. In the C:\Program Files\Entrust\Certificate Authority\etc\ini\entconfig.ini file, ensure the variable CryptokiV2LibraryNT contains the full path to the PKCS #11 library of the Entrust nShield HSM, by default C:\Program Files\nCipher\nfast\toolkits\pkcs11\cknfast.dll.

Entrust nShield Edge cluster status "down" or "unknown"

After initial set-up the Entrust nShield Edge cluster status is "down" or "unknown".

Resolution:

  1. Ensure section configure-certificate-authority.adoc#nshield-edge-preconfig is implemented correctly.

  2. In some cases you will need to start the cluster manually.

    For example:

    entsh$ cluster status
ca_wide_entry   disabled
localhost       enabled	    quiescent **LOCAL**

entsh$ cluster start
Starting cluster...

entsh$ cluster status
ca_wide_entry   enabled
localhost       enabled	    quiescent **LOCAL*
    For more information regarding the cluster status, refer to the Cluster Management Guide in the Entrust Certificate Authority 10.2 Documentation Suite located in the Documents tab at Product Support Center for Authority.

pg_port error

The following error message pops-up.

pg port error

Resolution:

  • Install and configure the PostgreSQL database before configuring the Entrust Certificate Authority.