Hi,

Yesterday, I performed an in-place upgrade of a NW51SP8 server to NW65SP8.
That seemed to go well, except for one problem.
NRM wouldn't open and it seems Apache could not start. Logger screen gave me
the error: Use of key SSL Certificateip failed.

So I ran pkidiag with the several 'fix' options, but PKIDIAG can't fix it
(log below). Maybe usefull info, after the upgrade I found out the DNS
entry in sys:\etc\hosts for this server was invalid. It was dhd1.tmsnet,org
(comma) while of course it should have been dhd1.tmsnet.org. I changed it
and rebooted the server just to be sure.

When (from nwadmin) I double click on the SSL CertificateIP - DHD1 object it
shows the Certificate Status as 'Absent' and tells me 'there is no trusted
root in this Key Material Object. Choose import to add one'. Ive exported a
certificate from another (working) object and imported it. After that it
shows the CA setting correctly, though the Certificate Status remains
'Absent'

This server is in a multi server Tree. Another NW65SP8 server is the CA and
the host field in the CA object is populated correctly. No certificate
problems on the other servers.

I'm not a biggie (as you can tell..) on certificate issues, so any help
would be greatly appreciated.

Thanks
Ron

---------------------------------------------------------------------------
PKIDiag 2.78 -- (compiled Jul 18 2005 17:19:11).
(Check the end of the log for the last repair results)
Current Time: Sat Jan 30 12:17:22 2010
User logged-in as: admin.tms.
Fixing mode
Rekey mode
Always Re-key

--> Server Name = 'DHD1'
---------------------------------------------------------------------------

Step 1 Verifying the Server's link to the SAS Service Object.
Server 'DHD1.SERVICES.DHD.NL.TMS' points to SAS Service object 'SAS
Service - DHD1.SERVICES.DHD.NL.TMS'
Step 1 succeeded.

Step 2 Verifying the SAS Service Object
SAS Service object 'SAS Service - DHD1.SERVICES.DHD.NL.TMS' is backlinked
to server 'DHD1.SERVICES.DHD.NL.TMS'.
Step 2 succeeded.

Step 3 Verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service -
DHD1.SERVICES.DHD.NL.TMS'.
--->KMO SSL CertificateIP - DHD1.SERVICES.DHD.NL.TMS is linked.
--->KMO SSL CertificateDNS - DHD1.SERVICES.DHD.NL.TMS is linked.
Step 3 succeeded.

Step 4 Verifying the KMOs
---> Testing KMO 'SSL CertificateDNS - DHD1.SERVICES.DHD.NL.TMS'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'SSL CertificateIP - DHD1.SERVICES.DHD.NL.TMS'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.
Step 4 succeeded.

Step 5 Re-verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service -
DHD1.SERVICES.DHD.NL.TMS'.
KMO 'SSL CertificateIP - DHD1.SERVICES.DHD.NL.TMS' is linked.
KMO 'SSL CertificateDNS - DHD1.SERVICES.DHD.NL.TMS' is linked.
Step 5 succeeded.

Step 6 Creating IP and DNS Certificates if necessary.
--> Number of Server IP addresses = 1
--> The default IP address is: 10.2.1.2
ERROR -1372418624. The KMO SSL CertificateIP exists, but I can't decode it.
FIXING: Creating SSL CertificateIP (10.2.1.2)
Pausing for 5 seconds because of error 49673
ERROR 49673 creating SSL CertificateIP.
--> Number of Server DNS names for the IP address 10.2.1.2 = 1
--> The server's default DNS name is:
DHD1.TMSNET.ORG
ERROR -1240. The KMO SSL CertificateDNS exists, but we can't decode it.
FIXING: Creating SSL CertificateDNS (DHD1.TMSNET.ORG)
Pausing for 5 seconds because of error 49673
ERROR 49673 creating SSL CertificateDNS.
Step 6 failed 49673.


Note: Occasionally multiple problems will be solved with a single fix.

Fixable problems found: 0
Problems fixed: 0
Un-fixable problems found: 0