The Cisco router may sometimes print an "abort" message when trying to download the CA certificate chain from a sub-ordinate. This is only a warning message, and can be ignored.
ESC : Security officer mode does not work on MAC OS X
In the RA agent page, the RA attempts to retrieve revocation information for a certificate that the agent does not have the rights to see. This is not an issue at present and can be ignored.
It was determined that this bug was caused by a configuration issue on the machine that the 64-bit RA was being installed on. The "sqlite-devel-3.3.5-1" and "libsqlite-3.2.1-1" packages must be removed prior to installation of this component.
This situation can arise if there are multiple token entries for the same user. You can resolve this situation by using the TPS agent page to delete one of the duplicate tokens.
The administrator can safely ignore these error messages.
This is useful for agents if they are temporarily putting certificates on hold. This facility is currently only provided in the CA. It will be added to the RA in the next release.
There is currently no facility for canceling certificate revocation. This will be added in the next release.
This problem only occurs on the approval page. If the user views the request again, the correct serial number will be shown. This will be fixed in the next release.
The TKS sub-system start/stop script currently does not check that the package is installed before attempting to execute.
On the Agent Interface of the RA, the List Requests page indicates the total number of certificate requests. On the List Certificates page, the corresponding information is missing. This will be fixed in the next release.
AEP is supported in Certificate System 7.3, although it is currently not documented as such.
The CA component in Certificate System 7.3 does not process SCEP requests that have been previously submitted. This can result in an error message similar to the following:
1706.http-9080-Processor24 - [20/Apr/2007:05:47:23 PDT] [20] [3] CEP Enrollment: Enrollment failed: user used duplicate transaction ID.
To circumvent this situation, ensure that the Cisco router generates fresh sets of keys for SCEP enrollments.
The Phone Home UI pops up for both enrolled and un-initialized tokens on RHEL4 and MAC OS X, even though the tokens contain phoneHome URLs. If and when the problem occurs, type in the phoneHome URL and proceed.
If the user clicks a link in the agent interface too fast and too many times, the server may return "Broken pipe: core_output_filter: writing data to the network" and terminate the SSL connection. Further access to the agent interface will require re-authentication.
The auto enrollment proxy configuration is not added to everyone's profile. This is typically found to be a problem when configuring the AEP proxy on Windows child domains where the local administrator does not have permission to modify the cn=configuration tree in AD. The simplest workaround is to use the Run as .. option to authenticate as the "Primary domain controller's administrator" and to then try to modify the cn=configuration. This relates to the "Populate AD" option in AEP.
CEP currently logs any authentication failures during enrollment to the system log. These should log to the audit log.
The Subject Alt name extension in certificates that are issued using the caDirUserCert profile will contain variables in un-substituted fashion (for example, $request.requestor_email$), if the profile request does not contain values available for substitution. There is currently no known workaround.
Because the instance name is hard-coded, the TPS looks for the configuration file in /var/lib/rhpki-tps/conf/CS.cfg
Workaround: if you create an instance name that differs from rhpki-tps, you need to modify the /var/lib/ to remove the above-mentioned hardcoding.
<tps-instance-name>/cgi-bin/sow/cfg.pl