Hi
The CA was just setup, the cert.id is encrypted with the server's ID. Both CAA and RA roles was assigned to the user, Registration and Delete profiles was created in the Admin Central as well.
Reset password in the Admin Central works fine.
When trying to recertify an ID I get this error in the server console:
CA Process Error processing certificate request: Profile not authorized for requesting user
Most of the extensions in the DefaultEEProfile document in the ICAL database are Prohibited, except for Subject Key ID and Key Usage. All the options in Supported Key Usage are checked except for keyCertSign and cRLSign.
What am I missing?
Hi Massimo,
I may have missed this detail, but can you confirm if your Admin server is also listed as RA (Registration Authority) in the CA? Thanks!
Thank you.
Including the server with the RA role solved the problem and now re-certification from the Admin Central works 👍🏻
Hi Massimo, sure, just sharing to you as well our documentation about the Admin server being also part of RA:
https://help.hcl-software.com/domino/14.0.0/admin/admincentral_app.html
Hope this helps. Keep us posted. Thanks!
I see.
I clicked on Migrating a certifier to the CA process and missed that note.
Have a great day.
Hi @Massimo Nadalin this error can occur when the Notes user is not a designated CAA or RA for the certificate of the OU of the user being renamed.
To change (or verify) the CAA or RA entries of a particular certificate, use Domino Administrator and select the Configuration tab; on the Tools menu, expand the Certification menu, and select 'Modify Certifier'; in the Modify Certifier dialog click the 'Issued Certificate List ("ICL") database' button, then use the select button to navigate to (and open) the appropriate certifier (ICL database) within the ICL directory structure, then select OK to open the specific Certifier's dialog box. From this Certifier's dialog box, select the 'Add' button to add the necessary Notes users (the Notes Driver User in this case) as administrators, appropriately checking the CAA and/or RA boxes. Click OK to save these changes in the ICL database. From the Domino server console that hosts the CA, type 'tell ca refresh' for the changes to become effective.