This section provides solutions for common issues encountered during mTLS certificate generation, CSR signing, and API connectivity within the Provider Connectivity Assurance environment.
CSR Signing Returns 404
A 404 error typically indicates that the request was sent to the standard RESTCONF path instead of the Distribution API. Ensure you are using the correct endpoint:
✅ Correct:
https://<PCA_IP>/distribution/sign-csr❌ Wrong:
https://<PCA_IP>/restconf/data/...sign-csr
CSR Signing Returns 500 with "tenant_ca_certs: no such file"
This is a server-side configuration issue indicating that the CA certificate is not mounted properly within the container environment. Please contact your system administrator to verify the volume mounts.
mTLS Validation Fails
If your certificate is rejected, test it against the dedicated validation endpoint to isolate the issue:
curl -sk --cert client.pem --key client.key \
"https://<PCA_IP>/api/v1/auth/cert/validate/authorization"If this command fails, the certificate may be invalid, expired, or was not signed by the expected Provider Connectivity Assurance tenant authority.
Certificate Verification Failed
Ensure you are verifying the client certificate against the correct CA chain:
# Verify certificate chain
openssl verify -CAfile ca.crt client.pemgNMI Connection Refused
Check the port and TLS settings. Use debug mode to identify if the handshake is failing:
# Test with verbose output
gnmic -a <PCA_IP>:443 --skip-verify --debug get --path /PAT Token Expired
Personal Access Tokens (PAT) have a fixed expiration. If you receive an authentication error during the CSR signing process, generate a new token via the Zitadel UI or API as detailed in the Prerequisites section.
© 2026 Cisco and/or its affiliates. All rights reserved.
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and trademarks