After downloading a PFX Certificate and attempt to install the Certificate, an error is presented stating - 'This file is invalid for use as the following: Personal Information Exchange'
Looking at the downloaded PFX Certificate it can be seen that the file size is around 2KB compared to a healthy PFX Certificate which is around 8KB - see below for the comparison
The root cause for this is the Certificate which has been downloaded is not an actual PFX Certificate.
There may be a few potential reasons for this but the ultimate problem is the IdP Server was unable to contact the SecureAuth Certificate Authority Servers to request a PFX file at the time
The 'Certificate URL' used by the IdP Server is found under the 'SecureAuth Cloud Services' section of the 'System Info' tab for the PFX Certificate Realm, the correct URLs can be seen in the below link:-
Test connection to the 'Certificate URL' by opening the URL directly within a Browser, the result should look similar to the below:-
If a different page is displayed, a 404 or 'Timeout page' for example, it means the URL cannot be reached and therefore a Certificate Request cannot be carried out against SecureAuth CA Server(s).
The cause of this will need to be investigated and fixed, potential causes could be:-
Required Network Ports closed on the Firewalls
Fix - Ensure ALL required Ports according to the below KB Article for your version of IdP are open on the Firewall(s)
Fix - Ensure all Proxy settings have been entered correctly and Traffic is passing through as expected, this includes, but is not limited to:-
IIS Application Request Routing
Browser/Computer Proxy Settings
Realm Configuration - 'System Info - Proxy Server Configuration'
Incorrect URL within the Certificate URL field for the Realm
Fix - Ensure the correct Certificate URL is used - see https://docs.secureauth.com/2212/en/secureauth-cloud-services.html
Correct URL specified within the PFX Certificate Realm but it is not resolving to an active CA Server
Fix - Browse to the Base URL seen in the Certificate URL field, for example 'https://us-cloud.secureauth.com', once the page is loaded hover the mouse pointer over the Browser tab to see which CA Server you are connecting to, open a case with Technical Support and provide this information, along with all other relevant information, within the Case
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.