# CA Integration Issues This section helps to diagnose and resolve problems related to Certificate Authority (CA) connectors configured in CERTInext. These issues typically affect certificate issuance, renewal, revocation, or status synchronization between CERTInext and the connected CA (Public or Private). CA integration failures can interrupt automated provisioning workflows and delay certificate lifecycle operations. #### Common Symptoms CA integration issues may present as: * Certificate requests stuck at **CSR Pending** * Issuance failures during provisioning * Connector status showing errors or inactive * Authentication failures when testing connector * Template not visible during ordering * Revocation requests not propagating #### Step 1: Verify Connector Status Navigate to:\ **Integrations → CA Connectors** Confirm: * Connector is listed as **Active** * Base URL or API endpoint is correct * No visible validation errors If the connector is inactive: * Reactivate from the Actions menu * Review recent configuration changes #### Step 2: Test Endpoint Connectivity Most CA issues are connectivity-related. Verify: * CA API endpoint or Web Enrollment URL is reachable * Port 443 (HTTPS) is open * DNS resolution is working * Proxy settings are correctly configured (if applicable) For AD CS: * Test access to `https:///certsrv` For API-based connectors: * Confirm health endpoint access if available #### Step 3: Validate Authentication Credentials Authentication errors commonly occur due to: * Expired API keys * Changed service account passwords * Insufficient enrollment permissions * Revoked access tokens Ensure: * Credentials configured in CERTInext are current * Service account has enrollment and revocation permissions * Template-level permissions allow enrollment #### Step 4: Verify Template and Policy Mapping If templates are missing or issuance fails: Check: * Template is published at the CA * Template is enabled for the service account * Template name matches exactly in CERTInext * Certificate type (DV/OV/EV or internal profile) is supported Template mismatch often results in issuance rejection. #### Step 5: Review CSR Compatibility CA rejection may occur if CSR does not meet policy requirements. Validate: * Key algorithm and size * Signature algorithm * SAN formatting * Subject field structure * Required attributes for EV/OV Ensure CSR profile aligns with CA template policy. #### Step 6: Check Revocation Synchronization If revocation fails: * Confirm connector credentials allow revocation * Verify certificate serial number matches CA record * Check CA audit logs for rejection Revocation failures may occur if certificate was issued outside CERTInext or under a different account. #### Step 7: Review Logs Check: * Connector validation logs * Provisioning bot logs (if issuance triggered via bot) * Error messages displayed during order submission Common error categories include: * 401/403 authentication errors * Template not found * Invalid CSR format * Network timeout #### Step 8: Re-test and Retry After corrections: * Edit and re-save connector * Re-initiate certificate order * Retry provisioning workflow * Validate updated connector status #### When to Escalate Provide: * CA Connector Name * Endpoint URL * Error message received * Template name used * CSR configuration details * Timestamp of failed attempt This helps isolate CA-side versus CERTInext-side issues. #### Best Practices * Use dedicated service accounts for each CA connector * Rotate credentials periodically * Monitor connector status regularly * Validate integration after CA upgrades * Maintain documented template mappings --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.certinext.io/documentation/troubleshooting-and-faqs/ca-integration-issues.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.