1. Home
  2. Linux
  3. OpenCA Error Cannot load certificate from the database

OpenCA Error Cannot load certificate from the database

Once the OpenCA is installed and the CA Certificate is issued, clicking serial number of the CA Certificate throws below error.

Error Code: 6295020 [initServer:314] Cannot load certificate 404576247583593287078701 from the database.

In-spite of enabling debug option, I couldn’t find any relevant error messages in stderror.log.

  • The interface lists CA certificate, but fails to display the certificate information while performing viewCert or viewCertFull cmd operations.
  • I verified the CA_Certificate stored in the PostgreSQL database and it appears to be fine and VALID.
  • The query string in URI seems to be fine with the dataType properly mentioned as below:
cmd=viewCert&dataType=VALID_CA_CERTIFICATE&key=4045762475835932870787014.
  • Usually the commands executed from lib/cmds is configured in etc/openca/access_control/*.xml files and everything seems to be properly configured.

So why does this error occur? Fortunately found a solution and here it’s.

How to fix the error – OpenCA Error Cannot load certificate from the database

  • The listCerts file contains the sub-routine cmdListCerts which takes the $query and parses it.
  • $dataType is one of the things it extracts.
  • @certsList is filled by the database query, which seems to work for listing the CA_CERTIFICATE.
  • $type is filled out by $dataType parsed from the link calling the script. So, this should appear as query argument "dataType" in the link behind the serial and by clicking that link it should be sent to the viewCert. There again, $dataType is parsed from $query just as it was for listCerts, but somehow this doesn’t work correctly in my OpenCA setup.

I suspected the way viewCert distinguishes between CERTIFICATE and
CA_CERTIFICATE and the way various queries for valid, expired,
suspended, and revoked certificates are handled.

So here is a modification to the viewCert cmd in the file lib/openca/perl_modules/perl5/OpenCA/AC.pm

Navigate to the sub-routine getOwner where you will find the following:

sub getOwner {

Locate the line: # load the certificate

Replace the below lines

my @certs;
my $certype = "CERTIFICATE";
if( not (@certs = $self->{db}->searchItems (
KEY => $self->{acl}->{object},
DATATYPE => "CERTIFICATE"))) {
# if (length ($self->{acl}->{object}) < 60 ) { # @certs = $self->{db}->searchItems (KEY => $self->{acl}->{object}, DATATYPE => "CERTIFICATE");
#}
$certtype = "CA_CERTIFICATE";
@certs = $self->{db}->searchItems (
KEY => $self->{acl}->{object},
DATATYPE => "CERTIFICATE");
}

With:

my @certs;
my $certtype = "CERTIFICATE";
if( $self->{db}->searchItems (
KEY => $self->{acl}->{object},
DATATYPE => "CERTIFICATE")) {

$certtype = "CA_CERTIFICATE";
@certs = $self->{db}->searchItems (
KEY => $self->{acl}->{object},
DATATYPE => "CERTIFICATE");
} else {
$certtype = "CA_CERTIFICATE";
@certs = $self->{db}->searchItems (
KEY => $self->{acl}->{object},
DATATYPE => "CA_CERTIFICATE");
}

The issue was with the line: if( not (@certs = $self->{db}->searchItems (.

That’s it! Hope it helps someone out there.

Updated on March 21, 2018

Was this article helpful?

Related Articles

Leave a Comment