How to fix com.ibm.security.certclient.base.PkRejectionException: 3008-737 A certificate attribute was not recognised in WebSphere

Summary

When working with IBM WebSphere Application Server (WAS) versions 8.5.5.24 or 9.0.5.21, particularly in environments configured with TAM/ISAM (Tivoli Access Manager / IBM Security Access Manager) integration, you might encounter the following error while attempting to renew WebSphere default certificates via WebSphere console.

com.ibm.security.certclient.base.PkRejectionException: 3008-737 A certificate attribute was not recognised. (wraps: java.security.cert.CertificateException: Subject class type invalid.)


Additionally, WebSphere logs (SystemOut.log, trace.log) show a more detailed trace:


Caused by: com.ibm.websphere.ssl.SSLException: CWPKI0043E: Error creating a chained certificate. The exception that occurred is: 3008-737 A certificate attribute was not recognised. .
at com.ibm.ws.ssl.config.CertificateManager.chainedCertificateCreate(CertificateManager.java:740)
at com.ibm.ws.ssl.config.CertificateManager.chainedCertificateCreate(CertificateManager.java:508)
at com.ibm.ws.security.common.util.MergeSecurityConfig.merge(MergeSecurityConfig.java:1069)
at com.ibm.ws.management.configarchive.AddNodeSecurityExt.executeStep(AddNodeSecurityExt.java:139)
... 37 more
Caused by: com.ibm.security.certclient.base.PkRejectionException: 3008-737 A certificate attribute was not recognised. (wraps: java.security.cert.CertificateException: Subject class type invalid.)
at com.ibm.security.certclient.util.PkNewCertFactory$PkNewCertImpl.generatenewCertificate(PkNewCertFactory.java:839)
at com.ibm.security.certclient.util.PkNewCertFactory$PkNewCertImpl.(PkNewCertFactory.java:595)
at com.ibm.security.certclient.util.PkNewCertFactory.newCert(PkNewCertFactory.java:369)
at com.ibm.ws.ssl.config.CertificateManager.chainedCertificateCreate(CertificateManager.java:730)