Tech Tip : CA Single Sign-On : Exception trying to extract entities from metadata

Document created by Osarobo_Idehen Employee on Jan 3, 2017
Version 1Show Document
  • View in full screen mode

We are trying to import a Remote Entity and getting this error in the siteminder wamui:

Error: Exception trying to extract entities from metadata.

We see following errors in the AdminUI logs:


07:43:55,590 ERROR [FedPkiKeyStore] **ERROR** commiting keystore change for alias com.rsa.certj.cert.CertificateException: Invalid subject name:


Caused by: com.rsa.certj.cert.CertificateException: Invalid subject name:
at com.rsa.certj.cert.X509Certificate.setInnerDER(Unknown Source)
at com.rsa.certj.cert.X509Certificate.setCertBER(Unknown Source)
at com.rsa.certj.cert.X509Certificate.<init>(Unknown Source)
... 67 more
Caused by: com.rsa.certj.cert.NameException: IA5String expected.

Policyserver Version: Policyserver OS and Bit Version: RHEL 6.8 64-Bit Webagent OS and Bit Version: RHEL 6.8 64-Bit Webagent option pack:

The issue is caused by incorrect emailAddress format.

Cert details:

C:\OpenSSL-Win64\bin>openssl x509 -noout -subject -issuer -purpose -email -alias
-nameopt multiline,show_type -in
organizationName = UTF8STRING:ABC
organizationalUnitName = UTF8STRING:XYZ
commonName =
serialNumber = PRINTABLESTRING:12345678912
emailAddress =

RFC Specifications:

Legacy implementations exist where an electronic mail address is
embedded in the subject distinguished name as an emailAddress
attribute [RFC2985]. The attribute value for emailAddress is of type
IA5String to permit inclusion of the character '@', which is not part
of the PrintableString character set. emailAddress attribute values
are not case-sensitive (e.g., "" is the same as

Further information:

Simultaneous inclusion of the emailAddress attribute in
the subject distinguished name to support legacy implementations is
deprecated but permitted.

Electronic Mail addresses may be included in certificates and CRLs in
the subjectAltName and issuerAltName extensions, name constraints
extension, authority information access extension, subject
information access extension, issuing distribution point extension,
or CRL distribution points extension. Each of these extensions uses
the GeneralName construct; GeneralName includes the rfc822Name
choice, which is defined as type IA5String.


Please ensure that email attribute type is IA5String.



KD: TEC1763376