Problem

When using automatic migration from CFT 3.2.2 to CFT 3.2.4, the PKI base migration fails if the base contains more than one intermediate certificate per chain.

CAUSE

When more than one intermediate certificate is present for a chain in the current PKI to be migrated, the intermediate certificates are exported in the wrong order, causing issues during re-import.

ERROR:

2017-10-05 15:02:10 INFO Applying update UP3.2.4
2017-10-05 15:02:24 ERROR ERR: failed to import PKI base
2017-10-05 15:02:24 INFO Error applying update. Rolling back actions...
2017-10-05 15:02:24 INFO Removing update UP3.2.4
2017-10-05 15:02:29 INFO Product Transfer_CFT_V3.2.2 update removed successfully
2017-10-05 15:02:29 ERROR Error on task Adding update Transfer_CFT_3.2.4_UP-from-3.2.2: An error has occurred while finalizing the installation update: ERR: failed to import PKI base

Resolution

• - export PKI-s (step A)
• - delete existing base (step B)
• - generate new empty PKi base (step C)
• - migrate (step D)
• - import the certs from the step A
• - export (step E):

A. PKIUTIL PKIEXT fout=pki-extract.conf

B. remove the existing PKI files in the CFT installation

CFTPKU

CFTPKU.idx

C. generate new PKI files
PKIUTIL pkifile fname = 'installation-path/runtime/data/CFTPKU', mode = 'CREATE'

D. try to redo the upgrade

E. if upgrade successfull, then import the previously exported base
PKIUTIL @pki-extract.conf