Troubleshooting
Problem
Following error is seen when attempting to validate a server certificate chain during SSL operation: End user tried to act as a CA.
Cause
Root CA certificate does not contain BASIC CONSTRAINTS extension
Resolving The Problem
As per X509V3 specifications, any root CA certificate is supposed to contain a BASIC CONSTRAINTS extension and the value of the CA flag should be set as TRUE. Otherwise, the certificate is deemed to be an end-entity certificate and not a CA certificate. During SSL handshake, if a server certificate chain uses a root CA certificate that does not have this extension set correctly, the handshake can fail at the client end with the above mentioned error message. To resolve the issue, contact the CA who issued the certificate and get the server certificate chain corrected. Another potential workaround is to use the IbmPKIX trustmanager instead of IbmX509 trustmanager at the client end. The trustmanager is set in java.security file using the property "ssl.TrustManagerFactory.algorithm"
Product Synonym
IBM JSSE2
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21456835