PFX Certificate - Invalid Public Key Security Object File

    Applies to:
  • SecureAuth Identity Platform
Deployment model:
  • Hybrid
  • Description:  
    After downloading a PFX Certificate and attempt to install the Certificate, an error is presented stating - 'This file is invalid for use as the following: Personal Information Exchange'

    Looking at the downloaded PFX Certificate it can be seen that the file size is around 2KB compared to a healthy PFX Certificate which is around 8KB - see below for the comparison

    The root cause for this is the Certificate which has been downloaded is not an actual PFX Certificate.
    There may be a few potential reasons for this but the ultimate problem is the IdP Server was unable to contact the SecureAuth Certificate Authority Servers to request a PFX file at the time

    The 'Certificate URL' used by the IdP Server is found under the 'SecureAuth Cloud Services' section of the 'System Info' tab for the PFX Certificate Realm, the correct URLs can be seen in the below link:-

    Test connection to the 'Certificate URL' by opening the URL directly within a Browser, the result should look similar to the below:-

    If a different page is displayed, a 404 or 'Timeout page' for example, it means the URL cannot be reached and therefore a Certificate Request cannot be carried out against SecureAuth CA Server(s).

    The cause of this will need to be investigated and fixed, potential causes could be:-
    Required Network Ports closed on the Firewalls
    Fix - Ensure ALL required Ports according to the below KB Article for your version of IdP are open on the Firewall(s)

    Proxy Settings
    Fix - Ensure all Proxy settings have been entered correctly and Traffic is passing through as expected, this includes, but is not limited to:-
    IIS Application Request Routing
    Browser/Computer Proxy Settings
    Realm Configuration - 'System Info - Proxy Server Configuration'

    Incorrect URL within the Certificate URL field for the Realm
    Fix - Ensure the correct Certificate URL is used - see

    Correct URL specified within the PFX Certificate Realm but it is not resolving to an active CA Server
    Fix - Browse to the Base URL seen in the Certificate URL field, for example '', once the page is loaded hover the mouse pointer over the Browser tab to see which CA Server you are connecting to, open a case with Technical Support and provide this information, along with all other relevant information, within the Case


    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful



    Please sign in to leave a comment.