I have a 3 server NW6.5 SP4a network. The CA is on Server1. The cert
expired and I'm trying to regenerate with PKIDiag and it gives me a -603
error. I also discovered that it will not regenerate the certificates on
Server 3 as well. I deleted the SAS, DNS and IP objects and tried to get
PKIDiag to generate them, but the only object it put back in was the SAS
object. I also ran dsrepair on both of them and they are both error free.
Any advice?

From Server1
---------------------------------------------------------------------------
PKIDiag 2.78 -- (compiled Jul 18 2005 17:19:11).
(Check the end of the log for the last repair results)
Current Time: Mon Jan 15 xx:08:26 2007
User logged-in as: admin.xxx.
Fixing mode
Rekey mode
Re-key when necessary

--> Server Name = 'THE_Server1'
---------------------------------------------------------------------------

Step 1 Verifying the Server's link to the SAS Service Object.
Server 'THE_Server1.xxx' points to SAS Service object 'SAS Service -
THE_Server1.xxx'
Step 1 succeeded.

Step 2 Verifying the SAS Service Object
SAS Service object 'SAS Service - THE_Server1.xxx' is backlinked to
server 'THE_Server1.xxx'.
Step 2 succeeded.

Step 3 Verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service - THE_Server1.xxx'.
--->KMO SSL CertificateIP - THE_Server1.xxx is linked.
--->KMO SSL CertificateDNS - THE_Server1.xxx is linked.
--->KMO NAASKMO - THE_Server1.xxx is linked.
--->KMO IP AG xxx\.xxx\.xxx\.xx - THE_Server1.xxx is linked.
--->KMO DNS AG Server1\.xxx\.xxxxxxx\.xx - THE_Server1.xxx is linked.
Step 3 succeeded.

Step 4 Verifying the KMOs
---> Testing KMO 'SSL CertificateIP - THE_Server1.xxx'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'SSL CertificateIP - THE_Server2.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateDNS - THE_Server1.xxx'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'SSL CertificateDNS - THE_Server2.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'Old2 SSL CertificateIP - THE_Server2.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'Old2 SSL CertificateDNS - THE_Server2.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'Old1 SSL CertificateIP - THE_Server2.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'Old1 SSL CertificateDNS - THE_Server2.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'NetIdentity - THE_Server2.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'NAASKMO - THE_Server1.xxx'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'IP AG xxx\.xxx\.xxx\.14 - THE_BAILIFF.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'IP AG xxx\.xxx\.xxx\.xx - THE_Server1.xxx'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'IP AG xxx\.xxx\.xxx\.12 - THE_Server2.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'DNS AG Server1\.xxx\.xxxxxxx\.xx - THE_Server1.xxx'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'DNS AG theServer2\.xxx\.xxxxxxx\.xx - THE_Server2.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'DNS AG thebailiff\.xxx\.xxxxxxx\.xx - THE_Server3.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.

Step 4 succeeded.

Step 5 Re-verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service - THE_Server1.xxx'.
KMO 'SSL CertificateIP - THE_Server1.xxx' is linked.
KMO 'SSL CertificateDNS - THE_Server1.xxx' is linked.
KMO 'NAASKMO - THE_Server1.xxx' is linked.
KMO 'IP AG xxx\.xxx\.xxx\.xx - THE_Server1.xxx' is linked.
KMO 'DNS AG Server1\.xxx\.xxxxxxx\.xx - THE_Server1.xxx' is linked.
Step 5 succeeded.

Step 6 Creating IP and DNS Certificates if necessary.
--> Number of Server IP addresses = 1
--> The default IP address is: xxx.xxx.xxx.xx
PROBLEM: The KMO SSL CertificateIP has expired.
--> The KMO SSL CertificateIP's IP Address is: xxx.xxx.xxx.xx.O=.xxxCENTRE.
----> The IP addresses match.
Step 6 failed -603.


Note: Occasionally multiple problems will be solved with a single fix.

Fixable problems found: 1
Problems fixed: 0
Un-fixable problems found: 0


From Server3
---------------------------------------------------------------------------
PKIDiag 2.78 -- (compiled Jul 18 2005 17:19:11).
(Check the end of the log for the last repair results)
Current Time: Mon Jan 15 13:24:29 2007
User logged-in as: admin.xxx.
Fixing mode
Rekey mode
Re-key when necessary

--> Server Name = 'THE_Server3'
---------------------------------------------------------------------------

Step 1 Verifying the Server's link to the SAS Service Object.
Server 'THE_Server3.xxx' points to SAS Service object 'SAS Service -
THE_Server3.xxx'
Step 1 succeeded.

Step 2 Verifying the SAS Service Object
SAS Service object 'SAS Service - THE_Server3.xxx' is backlinked to
server 'THE_Server3.xxx'.
Step 2 succeeded.

Step 3 Verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service - THE_Server3.xxx'.
--->KMO DNS AG theServer3\.xxx\.xxxxxxx\.xx - THE_Server3.xxx is linked.
--->KMO IP AG xxx\.xxx\.xxx\.xxx - THE_Server3.xxx is linked.
Step 3 succeeded.

Step 4 Verifying the KMOs
---> Testing KMO 'DNS AG theServer3\.xxx\.xxxxxxx\.xx - THE_Server3.xxx'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'IP AG xxx\.xxx\.xxx\.xxx - THE_Server3.xxx'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'DNS AG theServer2\.xxx\.xxxxxxx\.xx - THE_Server2.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'IP AG xxx\.xxx\.xxx\.12 - THE_Server2.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateDNS - THE_Server2.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateIP - THE_Server2.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'Old2 SSL CertificateDNS - THE_Server2.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'Old2 SSL CertificateIP - THE_Server2.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'DNS AG THEServer1\.xxx\.xxxxxxx\.xx - THE_Server1.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'IP AG xxx\.xxx\.xxx\.13 - THE_Server1.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'NAASKMO - THE_Server1.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'NetIdentity - THE_Server2.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'Old1 SSL CertificateDNS - THE_Server2.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'Old1 SSL CertificateIP - THE_Server2.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateDNS - THE_Server1.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.


---> Testing KMO 'SSL CertificateIP - THE_Server1.xxx'.
Rights check -- OK.
Back link -- Belongs to a different server -- Ignoring this KMO.

Step 4 succeeded.

Step 5 Re-verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service - THE_Server3.xxx'.
KMO 'DNS AG theServer3\.xxx\.xxxxxxx\.14 - THE_Server3.xxx' is linked.
KMO 'IP AG xxx\.xxx\.xxx\.xxx - THE_Server3.xxx' is linked.
Step 5 succeeded.

Step 6 Creating IP and DNS Certificates if necessary.
--> Number of Server IP addresses = 1
--> The default IP address is: xxx.xxx.xxx.14
PROBLEM: A SSL CertificateIP does not exist
Step 6 failed -603.


Note: Occasionally multiple problems will be solved with a single fix.

Fixable problems found: 1
Problems fixed: 0
Un-fixable problems found: 0