For the trust manager to be able to import a certificate request response, the response must exist in the correct format, PKCS#7 certificate chain, which contains both the requester's signed public-key certificate and the issuing CA's root certificate. If intermediate CA's are also used, then their public-key certificates must also be included in the response.

However, if your certificate request response contains only the requester's certificate, then the trust manager automatically builds the PKCS#7 certificate chain format as necessary using this certificate and the issuing CA's root certificate. A prerequisite for this procedure is that the CA's root certificate must exist in the certificate store. If the CA's root certificate does not exist or is deactivated, then an error occurs when importing the response.

You may want to deactivate a certificate in the certificate store so that the system does not use the certificate to build the PKCS#7 certificate chain format from the certificate request response. This may be necessary, for example, if the certificate store contains multiple entries for a CA where the Distinguished Names are identical. In this case, deactivate those entries that are not to be used for building the correct format for the response.

From the Trust Manager screen:

1. Choose Certificate → Database.

The View Maintenance for the Certificate Database screen appears.

2. Select the Inactive indicator for those certificates that you want to deactivate.
3. Save the data.

The certificates that you deactivate are not used to build the certificate request responses.

The certificate store contains the following entries:

In the case of MYCA, all three CAs have the same Distinguished Name. We have therefore deactivated the entries for the myCA User CA and the myCA Test CA. The system then uses the public-key certificate belonging to the myCA Server CA for building certificate request responses from the myCA.