Info: VeriSign / Symantec MPKI / Digicert Error Codes

Applies To:

All versions of Venafi Encryption Director and Venafi Trust Protection Platform


When renewing and revoking certificates using the VeriSign / Symantec MPKI driver, you may encounter error messages that are passthroughs of VeriSign / Symantec MPKI errors.  The following information below will help you know what the cause of the error message is so that you can resolve the issue.

More Information:


- SHA1 validity check error: What error code do we get when we submit the SHA1 SSL requests with the validity more than 12/31/2016?

- gTLD: What error code do we get when we cannot complete the re-authentication for domains with a newly-approved gTLD 30 days after the gTLD approval?

Per CA/B Forum baseline requirements, non-FQDN certs cannot exceed 11/1/2015. Examples: hostname, (.cba is a pending gTLD)

Currently the maximum cert validity is 4-year
OU misleading. See comments earlier
Org re-auth past due. EV org has to go through re-authentication every 13 months; OV org has to go through re-authentication every 39 months.
Domain re-auth past due. EV domain has to go through re-authentication every 13 months; OV domain has to go through re-authentication every 39 months.
No org address was set to default, should not happen
signature algorithm does not match intended key type in the CSR (e.g. CSR has an ECC key, but the signature algorithm is sha1WithRSAEncryption)
only supports ECC keys with the named curve NIST P-256, aka secp256r1 or prime256v1, other ECC key sizes will get this error
only supports DSA keys with (2048, 256) as the bit lengths of the prime parameter pair (p, q), other DSA key sizes will get this error
RSA key size < 2048

Other errors that may occur in VICE2:

0x3a10: Invalid X509 certificate format.: an unsupported certificate format was submitted.
0x4002: Internal QM Error. : Internal Database connection error.

0x3300  Certificate not ready for renewal: Normally symantec will only allow you to rewew a certificate if the cert is <=90 from expirary date.
0x3301: Bad transaction id or parent cert not renewable.: User try to renew a certificate that is not yet ready for renew or the transaction id is wrong.
0x3069: Challenge phrase mismatch: The challenge phrase submitted does not match the original one.

0x3111: Unsupported Product: User submitted a wrong product or requested cipher is not supported.
0x30e8: CN or org does not match the original one.: the submitted CSR contains a common name or org that does not match the original one.
0x1005: duplicate certificate: a certificate with the same common name exists already
0x0194: Incorrect Signature Algorithm: The requested signature algorithm is not supported for the key type. i.e. an ECDSA is submitted for an RSA key.
0x6000: parameter missing or incorrect: This is a general error code for missing or incorrect parameters. The reason will be in the response message.  i.e. "CSR is missing. ", "Unsupported serverType" when no supported serverType could be found., "invalid transaction id",
0x3063: Certificate not allowed: trying to issue a certificate that is not configured for the account.
0x23df: No MDS Data Returned: internal connection lost or server not responding. this should be rare.
0x3004: Invalid Account: The users mpki account associated with the certificate is not valid or not yet active.
0x4101: Internal Error: internal server error, user should try again later. (Also check that State is spelled out)
0x3101: Missing admin role: Your account does not the admin role required to access the webservice API.
0x3085: Account does not have webservice feature.: Your account does not the the webservice role required to access the webservice API.
0x9511: Corrupted CSR : the submitted CSR was mal-formed.
0xa001: Public key format does not match.: The public key format does not match the original cert at certificate renewal or replacement. E.g. if you try to renew or replace an RSA cert with a DSA or ECC key based CSR.
0x0143: Certificate End Date Error: You are trying to replace a certificate with validity end date exceeding the original cert. or the certificate end date is not valid.

0x3105: Organization name not matched: This literally means that you have entered an organization name that is not on the approved list of organizations in the CA (which is ultimately configured by Symantec/Digicert)


Was this article helpful?
0 out of 0 found this helpful