Hi All,

We are using WAS 9.0.5.21 and the auto-renewal of the WAS certificates did not seem to happen as expected, thus causing the certificates to expire. Now, I am trying the renew the certificate manually from the WAS Admin Console but it is failing with below error :
An error occurred renewing default: com.ibm.security.certclient.base.PkRejectionException: 3008-737 A certificate attribute was not recognised. (wraps: java.security.cert.CertificateException: Subject class type invalid.)

Any pointers on fixing this issue?

Hello Ninad,

 I suggeset to enable security traces and try again to get more details about the fail. If you can share here
 
 Procedure
    1. Open the WebSphere® Application Service Integrated Solutions Console.
    2. Expand Troubleshooting and select Logs and trace.
    3. Select the server on which you want to enable traces, and then select Diagnostic Trace.
    4. Click the Runtime tab.
    5. lick Change Log Detail Levels.
    6. Set a trace level, select Save runtime changes to configuration as well, and click Apply.
    
 com.ibm.ws.security.*=all=enabled
 
 Tell us if you need more support

Hi All,

We are using WAS 9.0.5.21 and the auto-renewal of the WAS certificates did not seem to happen as expected, thus causing the certificates to expire. Now, I am trying the renew the certificate manually from the WAS Admin Console but it is failing with below error :
An error occurred renewing default: com.ibm.security.certclient.base.PkRejectionException: 3008-737 A certificate attribute was not recognised. (wraps: java.security.cert.CertificateException: Subject class type invalid.)

Any pointers on fixing this issue?

Hello Gabriel,

We have raised PMR TS019146801 and attached the logs and other screenshots. Would highly appreciate if you could take a look. I am not sure how to share the logs with you here. The only exception we see every time we try renew certificate, has been shared above in RED color.  

Hello Ninad,

 I suggeset to enable security traces and try again to get more details about the fail. If you can share here
 
 Procedure
    1. Open the WebSphere® Application Service Integrated Solutions Console.
    2. Expand Troubleshooting and select Logs and trace.
    3. Select the server on which you want to enable traces, and then select Diagnostic Trace.
    4. Click the Runtime tab.
    5. lick Change Log Detail Levels.
    6. Set a trace level, select Save runtime changes to configuration as well, and click Apply.
    
 com.ibm.ws.security.*=all=enabled
 
 Tell us if you need more support

Hi All,

We are using WAS 9.0.5.21 and the auto-renewal of the WAS certificates did not seem to happen as expected, thus causing the certificates to expire. Now, I am trying the renew the certificate manually from the WAS Admin Console but it is failing with below error :
An error occurred renewing default: com.ibm.security.certclient.base.PkRejectionException: 3008-737 A certificate attribute was not recognised. (wraps: java.security.cert.CertificateException: Subject class type invalid.)

Any pointers on fixing this issue?

This error occurred in 855 and was fixed several years ago also with a fix for 905. So it might be a regression. 

Hello Gabriel,

We have raised PMR TS019146801 and attached the logs and other screenshots. Would highly appreciate if you could take a look. I am not sure how to share the logs with you here. The only exception we see every time we try renew certificate, has been shared above in RED color.  

Hello Ninad,

 I suggeset to enable security traces and try again to get more details about the fail. If you can share here
 
 Procedure
    1. Open the WebSphere® Application Service Integrated Solutions Console.
    2. Expand Troubleshooting and select Logs and trace.
    3. Select the server on which you want to enable traces, and then select Diagnostic Trace.
    4. Click the Runtime tab.
    5. lick Change Log Detail Levels.
    6. Set a trace level, select Save runtime changes to configuration as well, and click Apply.
    
 com.ibm.ws.security.*=all=enabled
 
 Tell us if you need more support

Hi All,

We are using WAS 9.0.5.21 and the auto-renewal of the WAS certificates did not seem to happen as expected, thus causing the certificates to expire. Now, I am trying the renew the certificate manually from the WAS Admin Console but it is failing with below error :
An error occurred renewing default: com.ibm.security.certclient.base.PkRejectionException: 3008-737 A certificate attribute was not recognised. (wraps: java.security.cert.CertificateException: Subject class type invalid.)

Any pointers on fixing this issue?

But how do we resolve this issue? We are already at WAS 9.0.5.21 level.

This error occurred in 855 and was fixed several years ago also with a fix for 905. So it might be a regression. 

Hello Gabriel,

We have raised PMR TS019146801 and attached the logs and other screenshots. Would highly appreciate if you could take a look. I am not sure how to share the logs with you here. The only exception we see every time we try renew certificate, has been shared above in RED color.  

Hello Ninad,

 I suggeset to enable security traces and try again to get more details about the fail. If you can share here
 
 Procedure
    1. Open the WebSphere® Application Service Integrated Solutions Console.
    2. Expand Troubleshooting and select Logs and trace.
    3. Select the server on which you want to enable traces, and then select Diagnostic Trace.
    4. Click the Runtime tab.
    5. lick Change Log Detail Levels.
    6. Set a trace level, select Save runtime changes to configuration as well, and click Apply.
    
 com.ibm.ws.security.*=all=enabled
 
 Tell us if you need more support

Hi All,

We are using WAS 9.0.5.21 and the auto-renewal of the WAS certificates did not seem to happen as expected, thus causing the certificates to expire. Now, I am trying the renew the certificate manually from the WAS Admin Console but it is failing with below error :
An error occurred renewing default: com.ibm.security.certclient.base.PkRejectionException: 3008-737 A certificate attribute was not recognised. (wraps: java.security.cert.CertificateException: Subject class type invalid.)

Any pointers on fixing this issue?

You did the correct thing and opened a PMR. 

But how do we resolve this issue? We are already at WAS 9.0.5.21 level.

This error occurred in 855 and was fixed several years ago also with a fix for 905. So it might be a regression. 

Hello Gabriel,

We have raised PMR TS019146801 and attached the logs and other screenshots. Would highly appreciate if you could take a look. I am not sure how to share the logs with you here. The only exception we see every time we try renew certificate, has been shared above in RED color.  

Hello Ninad,

 I suggeset to enable security traces and try again to get more details about the fail. If you can share here
 
 Procedure
    1. Open the WebSphere® Application Service Integrated Solutions Console.
    2. Expand Troubleshooting and select Logs and trace.
    3. Select the server on which you want to enable traces, and then select Diagnostic Trace.
    4. Click the Runtime tab.
    5. lick Change Log Detail Levels.
    6. Set a trace level, select Save runtime changes to configuration as well, and click Apply.
    
 com.ibm.ws.security.*=all=enabled
 
 Tell us if you need more support

Hi All,

We are using WAS 9.0.5.21 and the auto-renewal of the WAS certificates did not seem to happen as expected, thus causing the certificates to expire. Now, I am trying the renew the certificate manually from the WAS Admin Console but it is failing with below error :
An error occurred renewing default: com.ibm.security.certclient.base.PkRejectionException: 3008-737 A certificate attribute was not recognised. (wraps: java.security.cert.CertificateException: Subject class type invalid.)

Any pointers on fixing this issue?