Error: 'Your certificate has not yet been signed by the Certificate Authority...' when newly registered users access the server
The following error occurs when newly registered users attempt to access servers in their domain. The users were registered using the Domino® server-based certification authority (the Certificate Authority [CA] Process).
"Server Error: Your certificate has not yet been signed by the Certificate Authority. Please try again later."
Additionally, when trying to complete the Notes® client setup on a workstation after installation, you may see the following error if the AdminP (Administration Process) has not completed when the user tries to connect to the server to download their ID file.
"The encrypted data has been modified or the wrong key was used to decrypt it"
The user can connect to the server and enter the password, but when the workstation tries to authenticate the person will receive this error.
In both cases, the registration process using the server-based CA process has not completed. When the CA Process is used to register users, their person document will initially contain an incomplete certificate. The above errors will continue to occur until the entire process has completed.
The certificate in the person document will be signed and updated only after the CA task on the Certificate Authority server has run and the AdminP task has run on the Administration server.
When a user is registered using the CA Process a Certificate Request document is created in the Administration Requests database (admin4.nsf) with a status of "Approved by Registration Authority". This document can be seen in the "Certification Authority Requests\Certificate Requests" view of the admin4.nsf. If the CA task is running and the certifier is active, it should see the Certification Request and process it. If the certifier is not active it may need to be activated or unlocked. Please see the Lotus Domino Administration Help for more information on activating and unlocking certifiers.
Once the request has been processed by the CA task, it will now have a status of "Issued by Certification Authority" and an Admin Request will be created with the Action: "Recertify Person in Domino Directory". The AdminP task on the Administration server will process this request and update the person document with the signed certificate. Note that the new requests will have to be replicated to the Administration server. The user will now be able to access the servers once the updates to the person document have been replicated.
An enhancement request to allow a retry cycle for failed AdminP requests was submitted to Quality Engineering as SPR #PPET6E2LVE and has been implemented in release 7.0.2. Starting n release 7.0.2, a retry is generated when AdminP is told to "process all". None of the requests should need to be manually reprocessed.
- SPR# PPET6E2LVE - Error "Server Error: Your certificate has not yet been signed by the Certificate Authority. Please try again later." was encountered by users who are registered by an RA on a server other than the admin server and replication of the names.nsf does not precede admin4.
Users will not be able to authenticate until the administration process has processed this request. After registering users, the Administrator should issue the command "tell adminp process new" to push the request through if access is required more quickly.
The Administration server for the Domino Directory should be the same server that the users are being registered on. If this is not the case, the Administration Process Request will have to replicate to that server from the Registration Server, the interval will have to pass (this will happen within an hour), then the person document will be updated.
Now, the updated person document will still have to replicate to the users home mail server before they can authenticate.
More support for:
Software version: 6.0, 6.5, 7.0, 8.0, 8.5, 9.0
Operating system(s): AIX, IBM i, Linux, Solaris, Windows, z/OS
Reference #: 1158559
Modified date: 22 July 2015