Troubleshoot post-processing scripts

Unable to retrieve the target certificate from the user's personal certificate store.

The script cannot access the certificate.

If using a DigiCert software token, try registering the token using the Quick actions menu in DigiCert Software Keystore, then try rerunning the failed script.

If using a YubiKey hardware token, try re-inserting the token and then rerunning the failed script.

The issuing CA trust chain of the certificate is either not validated, not accessible, or unknown.

Review the DigiCert Trust Assistant logs for any reports indicating chain validation failures and contact your administrator for assistance.

If you are an administrator, make sure that the complete certificate chain validation is established. This includes valid AIA, CDP, OCSP, and CRL extensions for end-entity and CA certificates. Also, make sure that the Root is added to Trusted Root Certification Authorities.

Try rerunning the failed script once trust chain validation is in place.

The script signature verification failed.

The script signature is not valid.

Review the DigiCert Trust Assistant logs thoroughly to get more details about the script signature status, and contact your administrator for assistance.

If you are an administrator, it's recommended to manually verify the script's signature as a security precaution. For detailed steps, refer to System scripts or contact your DigiCert representative for assistance.

The script execution was terminated (SIGTERM).

The script execution did not finish within the specified time. The default script timeout value is 30 seconds and is configurable.

Increase the default script timeout value and then try rerunning the failed script. Refer to Configure post-processing script timeout in DigiCert Trust Assistant for more details or contact your administrator for assistance.

The script encountered an unknown error during execution.

General error message if the exact issue is not known and some internal error has occurred.

Review the DigiCert Trust Assistant logs to get more details about the issue and contact your administrator for further assistance.

The configuration change on the certificate profile is not reflected during the rerun of the failed script.

This is expected behavior.

Since rerun will run based on the cache stored locally, any update made to the certificate profile will not be reflected during the rerun. Refer to Rerun failed post-processing scripts in DigiCert Trust Assistant for details.

The configuration will be applied when a new certificate installation takes place. Try enrolling again to run the script with the desired configuration.

Outlook is not installed.

The supported Microsoft Outlook application is not installed on the target system.

Make sure that the supported Microsoft Outlook version is installed and working correctly.

The supported Outlook versions are Outlook 2016 onwards. Both 32-bit and 64-bit versions are supported. However, using 32-bit Outlook has certain limitations. For more information, see Microsoft Outlook Configuration.

Invalid S/MIME certificate — certificate key usage (KU) is empty.

The key usage (KU) value in the certificate is empty.

The KU must contain one of the following values:

Contact your administrator for assistance.

If you are an administrator, ensure the TLM certificate profile is reviewed and the KU values are configured according to your specific use case. For assistance, contact your DigiCert representative.

Invalid S/MIME certificate — the certificate key usage (KU) does not contain the required field(s).

The key usage (KU) value in the certificate does not contain the required field(s).

The KU must contain one of the following values:

Contact your administrator for assistance.

If you are an administrator, ensure the TLM certificate profile is reviewed and the KU values are configured according to your specific use case. For assistance, contact your DigiCert representative.

Invalid S/MIME certificate — certificate extended key usage (EKU) is empty.

The extended key usage (EKU) value in the certificate is empty.

The EKU must contain id-kp-emailProtection (1.3.6.1.5.5.7.3.4)

Contact your administrator for assistance.

If you are an administrator, ensure the TLM certificate profile is reviewed and the EKU values are configured according to your specific use case. For assistance, contact your DigiCert representative.

Invalid S/MIME certificate — the certificate extended key usage (EKU) does not contain the required field(s).

The extended key usage (EKU) value in the certificate does not contain the required field(s).

The EKU must contain id-kp-emailProtection (1.3.6.1.5.5.7.3.4)

Contact your administrator for assistance.

If you are an administrator, ensure the TLM certificate profile is reviewed and the EKU values are configured according to your specific use case. For assistance, contact your DigiCert representative.

The Outlook account email address does not match the email address in the certificate's Subject Alternative Name (SAN) or Subject DN (email).

The certificate contains a different email address than the one configured in your installed Outlook email account.

Make sure the Microsoft Outlook application is configured with the correct email account. Try rerunning the script once the Outlook email account is configured correctly. If the issue persists, contact your administrator for further assistance.

Outlook displays the following pop-up while executing the post-processing script.

If any of the following options on the Programmatic Access Security page (Outlook > File > Options > Trust Center > Trust Center Settings... > Programmatic Access) apply, this pop-up is displayed:

Verify the following settings:

If you are an administrator, make sure that Outlook’s Programmatic Access Security configuration is set to Warn me about suspicious activity when my antivirus software is inactive or out-of-date in the user environment, and the machine has the proper antivirus software enabled and up to date. Refer to Microsoft documentation for details about these settings.

Outlook S/MIME configuration failed.

General error message if the exact issue is not known and some internal error has occurred.

Review the DigiCert Trust Assistant logs to get more details about the issue.

The 32-bit version of Microsoft Outlook is not compatible with certificates stored in the DigiCert Software KeyStore.

The DigiCert Software KeyStore is supported only on 64-bit versions of Windows and 64-bit applications. As a result, 32-bit applications, such as 32-bit Outlook cannot access certificates stored in the DigiCert Software KeyStore.

This is a known issue. To resolve it, uninstall the 32-bit version of Microsoft Outlook, install the 64-bit version instead, and then rerun the failed script.

If you are an administrator, verify whether the 64-bit version of Outlook can be deployed over the existing 32-bit installation. If deployment is not feasible, check if the OS keystore can be used for certificate installation with 32-bit Outlook. You can do this by updating the DigiCert​​®​​ Trust Lifecycle Manager certificate profile to use the Operating System keystore instead.

For further assistance, contact your DigiCert representative.

The current user does not appear to be part of any Active Directory (AD) domain.

The user is not connected to any AD domain. The script makes use of the USERDNSDOMAIN environment variable to get the AD domain.

Make sure the required environment variable is configured correctly and then rerun the script. If the issue persists, contact your administrator for further assistance.

Unable to retrieve the current user's Distinguished Name (DN).

The script cannot access the user’s Distinguished Name (DN). The script uses Microsoft Windows security identifiers (SIDs) to fetch the DN.

Rerunning the failed script may not resolve the issue. Contact your administrator for assistance.

Unable to publish the certificate to Active Directory (AD).

Either the user does not have proper permission to publish the certificate or the LDAP connection to AD is invalid or unstable.

Make sure that the user has permission to modify the userCertificate attribute. Refer to Active Directory Publisher - Windows to know about permission entries for a user account in AD.

If the user does have proper permission, make sure that the LDAP connection to the AD is stable. Review the DigiCert Trust Assistant logs to get more details about the issue.

Generic error.

This is a generic error. Check the log for further information.

Review the DigiCert Trust Assistant log and follow the instructions provided in the message to resolve the error.

One of the required commands not found.

One or more of the commands listed in the message are missing from the system.

Make sure that all the required commands are pre-installed on macOS. If any commands are missing, it is recommended to install them. If you still encounter this error, contact your administrator for further assistance.

If the user is not logged into an Active Directory domain, the domain must be provided. Make sure the domain parameter is provided in the certificate profile.

The domain parameter was not provided in the certificate profile.

When a user’s machine is not domain-joined, domain information is required to log the user into the domain.

As an administrator, log into DigiCert Trust Lifecycle Manager, edit the profile, and add the user's Domain under the Additional settings for the Active Directory Publisher -macOS.

Failed to obtain IP address for domain.

Cannot resolve IP address for your domain.

Run the following command to resolve the address on the user's machine. Additionally, perform a reverse lookup for validation:

$ nslookup <domain>

Resolves the address properly on user machine. Reverse lookup is also required.

Also, log in as an administrator and ensure that under Additional Settings > Domain, the Active Directory Publisher – macOS is correctly configured.

Failed to obtain KDC hostname for domain.

Cannot resolve Key Distribution Center (KDC) host for your domain.

Run the following command to check and make sure the KDC host resolved from the user’s machine.

dig +short "_ldap._tcp.$domain" SRV

User cancelled the username/password input dialog.

The user machine is not domain-joined, so the script tried to log in the user to the domain, but the user cancelled the input dialog.

Retry the operation using the rerun functionality. Refer to Rerun failed post-processing scripts in DigiCert Trust Assistant for details.

Failed to log in to Active Directory domain.

The user entered the wrong credentials.

Make sure that the user is entering the correct credentials. Do not enter the username in user principal format (example: john.doe@digicert.com), removing the domain for the username.

To retry, refer to Rerun failed post-processing scripts in DigiCert Trust Assistant for details.

Failed to run ldapsearch to obtain Distinguished Name (DN) of user in Active Directory.

Failed to run the ldapsearch command used to obtain the Distinguished Name (DN) of the user in Active Directory.

Review the DigiCert Trust Assistant logs to get more details about the issue and contact your administrator for further assistance.

Failed to obtain Distinguished Name (DN) of user in Active Directory.

Failed to parse the output of the ldapsearch command.

Review the DigiCert Trust Assistant logs to get more details about the issue and contact your administrator for further assistance.

Failed to publish certificate to Active Directory for user.

Either the user does not have permission to publish the certificate or another LDAP error occurred.

Make sure that the user has permission to modify the userCertificate attribute. Refer to Active Directory Publisher - Windows to know more about the permission entries for a user account in AD.

If the user has permission, make sure that the LDAP connection to Active Directory is stable. Review the DigiCert Trust Assistant logs for more details about the issue.

Unknown error occurred.

This is an unexpected error. Check the log for further information.

Review the DigiCert Trust Assistant log and follow the instructions provided in the message to resolve the error.

Adobe Acrobat is not installed.

The Adobe Acrobat Reader application is not installed on the target machine.

Make sure that the Adobe Acrobat Reader application is installed and working correctly on the target machine.

Invalid certificate — certificate key usage (KU) is empty.

The key usage (KU) value in the certificate is empty.

The KU must contain digitalSignature.

Contact your administrator for further assistance.

If you are an administrator, ensure that the TLM certificate profile is reviewed and the KU values are configured according to your specific use case. Contact your administrator for further assistance.

Invalid certificate — the certificate key usage (KU) does not contain the required field(s).

The key usage (KU) value in the certificate does not contain the required field(s).

The KU must contain digitalSignature.

Contact your administrator for further assistance.

If you are an administrator, ensure that the TLM certificate profile is reviewed and the KU values are configured according to your specific use case. Contact your administrator for further assistance.

Invalid certificate — certificate extended key usage (EKU) is empty.

The extended key usage (EKU) value in the certificate is empty.

The EKU must contain the following EKUs:

Contact your administrator for further assistance.

If you are an administrator, ensure that the TLM certificate profile is reviewed and the EKU values are configured according to your specific use case. Contact your administrator for further assistance.

Invalid certificate — the certificate extended key usage (EKU) does not contain the required field(s).

The extended key usage (EKU) value in the certificate does not contain the required field(s).

The EKU must contain the following EKUs:

Contact your administrator for further assistance.

If you are an administrator, ensure that the TLM certificate profile is reviewed and the EKU values are configured according to your specific use case. Contact your administrator for further assistance.

Unable to configure the Adobe Acrobat security settings.

A general error message displayed when the exact issue is unknown or an internal error has occurred.

Review the DigiCert Trust Assistant logs to get more details about the issue.