Path Build Errors

 

If you receive a Path Build Exception error this indicates that either the certificate path is not complete - in that a valid certificate path could not be found from the end-entity (signer) certificate to a trusted root certificate, or that there was another issue with one or more certificates in the path e.g. an expired certificate or a rule violation

 

Check the Logs

Where is the log file?

The EzSign log file should contain the actual reason for the failure. e.g.

  Path Build Exception: Path Build: Path building failed.  Could not find issuer for : CN=BANK001001, OU=Engineering, O=Krestfield Ltd, C=GB

This will give the reason for the path build failure 

 

 

Incomplete Paths

Errors such as the following:

  Path Build Exception: Path Build: Path building failed.  Could not find issuer for : CN=BANK001001, OU=Engineering, O=Krestfield Ltd, C=GB

Are caused because either the root certificate is not present in the channel or the signature itself does not contain the required intermediate certificates

To determine which, you may copy the Signature data sent, and paste into the Signature Toolkit tool.  This will display the certificates included in the signature which can then be analysed

You can install the root certificate (or any other certificates required, including the intermediate CA certificates) via the Management Utility, choosing the Import Certificate option

Once all the required certificates have been installed, restart EzSign and attempt the verification again

Note: This may not be an error condition at all.  The siganture being verified may have been signed by a rougue or spoofed certificate and EzSign is rejecting it for this reason

 

Rule Violation

Errors such as the following:

  Path Build Exception: The key size of the certificate CN=BANK001001, OU=Engineering, O=Krestfield Ltd, C=GB is 2048 bits.  This is less than the minimum key size of 4096 bits specified

Are due to the rules specified in the configuration, or within the custom path checker (if enabled)

In this specific case, the following property:

  channel.1.verify.minKeySize=4096

Requires that the certificate must have a key size of at least 4096 bits

The property can be relaxed (e.g. to 2048) but the rule may be in place for a specific security reason, in which case the signature has been rejected intentionally

Other settings that perform checks on the path and siganture are shown below:

  channel.1.verify.signedAttribsRequired=true
  channel.1.verify.denyWeakSignatureHash=false
  channel.1.verify.denyWeakCertificateHash=false
  channel.1.verify.relaxRootCertExtensionChecks=false
  channel.1.verify.relaxAllCertExtensionChecks=false
  channel.1.verify.nonRepudiationRequired=true
  channel.1.verify.caBasicConstraintsRequired=true
  channel.1.verify.minKeySize=2048
  channel.1.verify.maxKeySize=8192

 

Contact Us

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Call: 020 8938 3616

Sales & Support

Should you need any help with any of Krestfield's products, or wish to make any suggestions, please contact us.

Sales: sales@krestfield.com

Support: support@krestfield.com

Latest News

PKCloud

Version 1.1.0 released

EzSign

Version 3.1.0 released

 

Our Mission

To create secure, highly available, easy to use products that are priced fairly

Please publish modules in offcanvas position.