Skip to main content

AST Certificate Authority Error Codes (SubSystem 510)

Certificate Request (Error Codes 10-19)

SubsystemError CodeHTTP CodeNameDetails
51010403InvalidCsrSignatureThe provided CSR's signature wasn't valid
51011400UnsupportedKeyTypeThe provided CSR's key algorithm isn't supported
51012400BadKeyThe provided CSR's key doesn't meet requirements
51013400UnsupportedAlgorithmAn algorithm (signature or digest) was unsupported
51014403BadProfileThe requested certificate profile isn't allowed on the endpoint
51015500UnsupportedProfileThe requested certificate profile isn't supported by the Issuer CA

Certificate Retrieval (Error Codes 20-29)

SubsystemError CodeHTTP CodeNameDetails
51020409NotYetSignedThe certificate was not yet signed
51021410AlreadyDeliveredThe certificate was already delivered and was evicted
51022410IssuanceFailedThe certificate couldn't be issued successfully

SDK Config Creation (Error Codes 30-39)

SubsystemError CodeHTTP CodeNameDetails
51030412SignerNotYetIssuedThe signer certificate wasn't issued yet
51031500SdkConfigSignErrorThere was an error signing the SDK config

Signer Management (Error Codes 40-49)

Signer Creation (Error Codes 40-44)

SubsystemError CodeHTTP CodeNameDetails
51040409SignerAlreadyExistsA signer for the tenant already exists

Signer Deletion (Error Codes 45-49)

SubsystemError CodeHTTP CodeNameDetails
51045409SignerAlreadyInUseThe signer was already used to issue a certificate and can't be deleted anymore

Public Key Provider (Error Codes 50-59)

Public Key Registration (Error Codes 50-54)

SubsystemError CodeHTTP CodeNameDetails
51050403PasswordAuthMissingThe access token's AMR did not imply that the user has a password
51051409KeyAlreadyExistsA key with the same thumbprint is already registered

Public Key Retrieval (Error Codes 55-59)

SubsystemError CodeHTTP CodeNameDetails
51055410KeyExpiredThe key with the given kid and tenant expired and can no longer be used

Session Encryption (Error Codes 60-69)

SubsystemError CodeHTTP CodeNameDetails
51060500EncryptionErrorAn unexpected error occurred when encrypting a response
51061400DecryptionErrorAn error occurred when decrypting a request

Bad Request Codes (Error Codes 400 and 400x)

SubsystemError CodeHTTP CodeNameDetails
510400400BadRequestAn unspecified Bad Request error. Look for details in the message.
5104001400MissingFieldA required field was missing in the request
5104002400MalformedFieldA field in the request had a wrong format
5104003400BadPaginationInvalid pagination parameters
5104004400BadFilterInvalid filter string
5104005400MalformedBodyThe request body was malformed and couldn't be parsed

Unauthorized Codes (Error Codes 401 and 401x)

SubsystemError CodeHTTP CodeNameDetails
510401401UnauthorizedThere was a problem authorizing the request, see below for details
5104011401TlsClientAuthMissingThe mTLS client certificate header was missing or didn't contain a certificate

Details about 510-401 Unauthorized

This error code includes cases like

  • The header was missing
  • The token could not be decoded
  • The token is from a different realm than the tenant in the request path
  • The token was expired (exp), not yet valid (nbf) or issued in the future (iat)
  • The token's issuer (iss) did not match the expected value discovered from the IdP
    • This is most likely a realm configuration problem in Keycloak, such as not configuring the "Frontend URL" setting in the realm, which is required in a typical setup
      • Failing to configure the Frontend URL will result in a mismatch between the issuer URL that was discovered by the service inside the cluster, and the issuer in the JWT issued for a client outside the cluster
    • After changing the realm configuration, it is necessary to restart the service in order for it to rediscover the realm configuration
  • The token's audience (aud) didn't include all required values specified in the service config (default: none)
  • The token's signature did not match the public key discovered from the IdP

Forbidden / Bad Token Codes (Error Codes 403 and 403x)

SubsystemError CodeHTTP CodeNameDetails
510403403ForbiddenThe user has no permission to access the resource
5104031403MissingUserIdThe user ID is missing in the access token
5104032403MissingUserNameThe user name is missing in the access Token
5104033403MissingClientIdThe AST client ID is missing in the access token
5104036403SessionKeyNotFoundThe session key with the given ID was not found
5104037403SessionKeyDecryptionFailedThe session key could not be decrypted

Not Found Codes (Error Codes 404 and 404x)

SubsystemError CodeHTTP CodeNameDetails
5104041404SignerNotFoundA signer with the given ID does not exist
5104042404CertificateNotFoundA certificate with the given ID does not exist
5104043404SignerNotFoundForTenantThere was no signer for the given tenant
5104044404IssuerSerialNotFoundThe combination of issuer and serial was not found
5104045404KeyNotFoundThe key with the given kid and tenant wasn't found

OIDC Errors (Error Codes 100x)

SubsystemError CodeHTTP CodeNameDetails
5101000500GeneralErrorAn unexpected error occurred while authenticating the request. See the log for details.
5101001500IssuerNotConfiguredThe OIDC issuer is not configured. This is probably due to misconfiguration of api.security.openidConnect.baseUrl. See the log for details.
5101002404RealmDoesNotExistThe realm corresponding to the tenant ID in the request does not exist in the IDP. See the log for details.
5101003503IdpUnavailableThe IDP could not be reached for OIDC discovery. This may be a temporary error or due to misconfiguration. See the log for details.
5101004502BadResponseThe IDP response could not be parsed. See the log for details.
5101005502UnexpectedErrorThe IDP returned an unexpected error response during OIDC Discovery. See the log for details.
5101006500IssuerMismatchThe issuer URL returned from OIDC Discovery doesn't match the expected one generated from the configuration. This is probably due to realm misconfiguration in the IDP. See the log for details.
5101007500UnsupportedFlowThe OIDC configuration returned from the IDP specified an unsupported flow. This probably due to realm misconfiguration in the IDP. See the log for details.

General Error Codes (Error Codes 500, 503 and 500x)

SubsystemError CodeHTTP CodeNameDetails
510500500InternalErrorAn unexpected error occurred
5105001500DbErrorAn unexpected error occurred during a database operation
5105002500KafkaErrorAn unexpected error occurred during a Kafka operation
5105003500SignerErrorAn unexpected error occurred during a certificate issuance operation
510503503ServiceUnavailableThe service's availability was disrupted, look for details in the message.

Configuration Errors (Error Codes 500xx)

SubsystemError CodeHTTP CodeNameDetails
51050010500UnknownTopicRoutingKeyAn outbox item with an unknown topic routing key was encountered
51050020500TrustStoreDoesNotExistThe trust store file does not exist
51050021500TrustStoreRequiredA trust store was required for the configured SSL mode, but none was given