Skip to main content

Troubleshoot post-processing scripts

System scripts execution issues

The following table describes common issues with system post-processing scripts, along with the probable cause and solution for each.

Issue description

Probable cause

Solution

Unable to retrieve the target certificate from the user's personal certificate store.

The script cannot access the certificate.

If using a DigiCert software token, try registering the token using the Quick actions menu in DigiCert Software Keystore, then try rerunning the failed script.

If using a YubiKey hardware token, try re-inserting the token and then rerunning the failed script.

  • The X.509 trust chain validation for the target certificate has failed.

  • Unable to obtain the X.509 trust chain status for the target certificate.

The issuing CA trust chain of the certificate is either not validated, not accessible, or unknown.

Review the DigiCert Trust Assistant logs for any reports indicating chain validation failures and contact your administrator for assistance.

If you are an administrator, make sure that the complete certificate chain validation is established. This includes valid AIA, CDP, OCSP, and CRL extensions for end-entity and CA certificates. Also, make sure that the Root is added to Trusted Root Certification Authorities.

Try rerunning the failed script once trust chain validation is in place.

The script signature verification failed.

The script signature is not valid.

Review the DigiCert Trust Assistant logs thoroughly to get more details about the script signature status, and contact your administrator for assistance.

If you are an administrator, it's recommended to manually verify the script's signature as a security precaution. For detailed steps, refer to System scripts or contact your DigiCert representative for assistance.

The script execution was terminated (SIGTERM).

The script execution did not finish within the specified time. The default script timeout value is 30 seconds and is configurable.

Increase the default script timeout value and then try rerunning the failed script. Refer to Configure post-processing script timeout in DigiCert Trust Assistant for more details or contact your administrator for assistance.

The script encountered an unknown error during execution.

General error message if the exact issue is not known and some internal error has occurred.

Review the DigiCert Trust Assistant logs to get more details about the issue and contact your administrator for further assistance.

The configuration change on the certificate profile is not reflected during the rerun of the failed script.

This is expected behavior.

Since rerun will run based on the cache stored locally, any update made to the certificate profile will not be reflected during the rerun. Refer to Rerun failed post-processing scripts in DigiCert Trust Assistant for details.

The configuration will be applied when a new certificate installation takes place. Try enrolling again to run the script with the desired configuration.

The following table describes issues with the Outlook scripts, along with the probable cause and solution for each.

Issue description

Probable cause

Solution

Outlook is not installed. Outlook is not installed.

The supported Microsoft Outlook application is not installed on the target system.

Make sure the 64-bit version of the supported Microsoft Outlook is installed and working correctly.

The supported Outlook versions are Outlook 2016 onwards (64-bit only).

Invalid S/MIME certificate — certificate key usage (KU) is empty.

The key usage (KU) value in the certificate is empty.

The KU must contain one of the following values:

  • digitalSignature

  • keyEncipherment

Contact your administrator for assistance.

If you are an administrator, ensure the TLM certificate profile is reviewed and the KU values are configured according to your specific use case. For assistance, contact your DigiCert representative.

Invalid S/MIME certificate — the certificate key usage (KU) does not contain the required field(s).

The key usage (KU) value in the certificate does not contain the required field(s).

The KU must contain one of the following values:

  • digitalSignature

  • keyEncipherment

Contact your administrator for assistance.

If you are an administrator, ensure the TLM certificate profile is reviewed and the KU values are configured according to your specific use case. For assistance, contact your DigiCert representative.

Invalid S/MIME certificate — certificate extended key usage (EKU) is empty.

The extended key usage (EKU) value in the certificate is empty.

The EKU must contain id-kp-emailProtection (1.3.6.1.5.5.7.3.4)

Contact your administrator for assistance.

If you are an administrator, ensure the TLM certificate profile is reviewed and the EKU values are configured according to your specific use case. For assistance, contact your DigiCert representative.

Invalid S/MIME certificate — the certificate extended key usage (EKU) does not contain the required field(s).

The extended key usage (EKU) value in the certificate does not contain the required field(s).

The EKU must contain id-kp-emailProtection (1.3.6.1.5.5.7.3.4)

Contact your administrator for assistance.

If you are an administrator, ensure the TLM certificate profile is reviewed and the EKU values are configured according to your specific use case. For assistance, contact your DigiCert representative.

The Outlook account email address does not match the email address in the certificate's Subject Alternative Name (SAN) or Subject DN (email).

The certificate contains a different email address than the one configured in your installed Outlook email account.

Make sure the Microsoft Outlook application is configured with the correct email account. Try rerunning the script once the Outlook email account is configured correctly. If the issue persists, contact your administrator for further assistance.

Outlook displays the following pop-up while executing the post-processing script.

PPS_popup.png

If any of the following options on the Programmatic Access Security page (Outlook > File > Options > Trust Center > Trust Center Settings... > Programmatic Access) apply, this pop-up is displayed:

  • Warn me about suspicious activity when my antivirus software is inactive or out-of-date option is selected, and the Antivirus status shows as Invalid.

  • Always warn me about suspicious activity option is selected.

  • None of the options on the Programmatic Access Security page is selected. This generally means that Programmatic Access is managed by your organization through the domain Group Policy Object (GPO).

Verify the following settings:

  • Warn me about suspicious activity when my antivirus software is inactive or out-of-date option is selected, and the Antivirus status shows as Invalid. Make sure that your antivirus software is installed and up to date.

  • Always warn me about suspicious activity option is selected. This may be configured by your administrator. Contact your administrator for assistance.

  • None of the options on the Programmatic Access Security page is selected. Contact your administrator for assistance.

If you are an administrator, make sure that Outlook’s Programmatic Access Security configuration is set to Warn me about suspicious activity when my antivirus software is inactive or out-of-date in the user environment, and the machine has the proper antivirus software enabled and up to date. Refer to Microsoft documentation for details about these settings.

Outlook S/MIME configuration failed.

General error message if the exact issue is not known and some internal error has occurred.

Review the DigiCert Trust Assistant logs to get more details about the issue.

The following table describes issues with the Active Directory Publisher (Windows) scripts, along with the probable cause and solution for each.

Issue description

Probable cause

Solution

The current user does not appear to be part of any Active Directory (AD) domain.

The user is not connected to any AD domain. The script makes use of the USERDNSDOMAIN environment variable to get the AD domain.

Make sure the required environment variable is configured correctly and then rerun the script. If the issue persists, contact your administrator for further assistance.

Unable to retrieve the current user's Distinguished Name (DN).

The script cannot access the user’s Distinguished Name (DN). The script uses Microsoft Windows security identifiers (SIDs) to fetch the DN.

Rerunning the failed script may not resolve the issue. Contact your administrator for assistance.

Unable to publish the certificate to Active Directory (AD).

Either the user does not have proper permission to publish the certificate or the LDAP connection to AD is invalid or unstable.

注記

The script makes use of a non-TLS connection on port 389.

Make sure that the user has permission to modify the userCertificate attribute. Refer to Active Directory Publisher - Windows to know about permission entries for a user account in AD.

If the user does have proper permission, make sure that the LDAP connection to the AD is stable. Review the DigiCert Trust Assistant logs to get more details about the issue.

The following table describes issues with the Active Directory Publisher (macOS) scripts, along with the probable cause and solution for each.

Issue description

Probable cause

Solution

Generic error.

This is a generic error. Check the log for further information.

Review the DigiCert Trust Assistant log and follow the instructions provided in the message to resolve the error.

One of the required commands not found.

One or more of the commands listed in the message are missing from the system.

Make sure that all the required commands are pre-installed on macOS. If any commands are missing, it is recommended to install them. If you still encounter this error, contact your administrator for further assistance.

If the user is not logged into an Active Directory domain, the domain must be provided. Make sure the domain parameter is provided in the certificate profile.

The domain parameter was not provided in the certificate profile.

When a user’s machine is not domain-joined, domain information is required to log the user into the domain.

As an administrator, log into DigiCert Trust Lifecycle Manager, edit the profile, and add the user's Domain under the Additional settings for the Active Directory Publisher -macOS.

Failed to obtain IP address for domain.

Cannot resolve IP address for your domain.

Run the following command to resolve the address on the user's machine. Additionally, perform a reverse lookup for validation:

$ nslookup <domain>

Resolves the address properly on user machine. Reverse lookup is also required.

Also, log in as an administrator and ensure that under Additional Settings > Domain, the Active Directory Publisher – macOS is correctly configured.

Failed to obtain KDC hostname for domain.

Cannot resolve Key Distribution Center (KDC) host for your domain.

Run the following command to check and make sure the KDC host resolved from the user’s machine.

dig +short "_ldap._tcp.$domain" SRV

User cancelled the username/password input dialog.

The user machine is not domain-joined, so the script tried to log in the user to the domain, but the user cancelled the input dialog.

Retry the operation using the rerun functionality. Refer to Rerun failed post-processing scripts in DigiCert Trust Assistant for details.

Failed to log in to Active Directory domain.

The user entered the wrong credentials.

Make sure that the user is entering the correct credentials. Do not enter the username in user principal format (example: john.doe@digicert.com), removing the domain for the username.

To retry, refer to Rerun failed post-processing scripts in DigiCert Trust Assistant for details.

Failed to run ldapsearch to obtain Distinguished Name (DN) of user in Active Directory.

Failed to run the ldapsearch command used to obtain the Distinguished Name (DN) of the user in Active Directory.

Review the DigiCert Trust Assistant logs to get more details about the issue and contact your administrator for further assistance.

Failed to obtain Distinguished Name (DN) of user in Active Directory.

Failed to parse the output of the ldapsearch command.

Review the DigiCert Trust Assistant logs to get more details about the issue and contact your administrator for further assistance.

Failed to publish certificate to Active Directory for user.

Either the user does not have permission to publish the certificate or another LDAP error occurred.

Make sure that the user has permission to modify the userCertificate attribute. Refer to Active Directory Publisher - Windows to know more about the permission entries for a user account in AD.

If the user has permission, make sure that the LDAP connection to Active Directory is stable. Review the DigiCert Trust Assistant logs for more details about the issue.

Unknown error occurred.

This is an unexpected error. Check the log for further information.

Review the DigiCert Trust Assistant log and follow the instructions provided in the message to resolve the error.

The following table describes issues related to Adobe Acrobat document signing configuration, along with the probable causes and solutions for each.

Issue description

Probable cause

Solution

Adobe Acrobat is not installed.

The Adobe Acrobat Reader application is not installed on the target machine.

Make sure that the Adobe Acrobat Reader application is installed and working correctly on the target machine.

Invalid certificate — certificate key usage (KU) is empty.

The key usage (KU) value in the certificate is empty.

The KU must contain digitalSignature.

Contact your administrator for further assistance.

If you are an administrator, ensure that the TLM certificate profile is reviewed and the KU values are configured according to your specific use case. Contact your administrator for further assistance.

Invalid certificate — the certificate key usage (KU) does not contain the required field(s).

The key usage (KU) value in the certificate does not contain the required field(s).

The KU must contain digitalSignature.

Contact your administrator for further assistance.

If you are an administrator, ensure that the TLM certificate profile is reviewed and the KU values are configured according to your specific use case. Contact your administrator for further assistance.

Invalid certificate — certificate extended key usage (EKU) is empty.

The extended key usage (EKU) value in the certificate is empty.

The EKU must contain the following EKUs:

  • MS Document Signing (1.3.6.1.4.1.311.3.10.3.12)

  • Document Signing (1.3.6.1.5.5.7.3.36)

  • Adobe Authentic Document Trust (1.2.840.113583.1.1.5)

Contact your administrator for further assistance.

If you are an administrator, ensure that the TLM certificate profile is reviewed and the EKU values are configured according to your specific use case. Contact your administrator for further assistance.

Invalid certificate — the certificate extended key usage (EKU) does not contain the required field(s).

The extended key usage (EKU) value in the certificate does not contain the required field(s).

The EKU must contain the following EKUs:

  • MS Document Signing (1.3.6.1.4.1.311.3.10.3.12)

  • Document Signing (1.3.6.1.5.5.7.3.36)

  • Adobe Authentic Document Trust (1.2.840.113583.1.1.5)

Contact your administrator for further assistance.

If you are an administrator, ensure that the TLM certificate profile is reviewed and the EKU values are configured according to your specific use case. Contact your administrator for further assistance.

Unable to configure the Adobe Acrobat security settings.

A general error message displayed when the exact issue is unknown or an internal error has occurred.

Review the DigiCert Trust Assistant logs to get more details about the issue.