IBM Support

End user tried to act as a CA

Troubleshooting


Problem

Following error is seen when attempting to validate a server certificate chain during SSL operation: End user tried to act as a CA.

Cause

Root CA certificate does not contain BASIC CONSTRAINTS extension

Resolving The Problem

As per X509V3 specifications, any root CA certificate is supposed to contain a BASIC CONSTRAINTS extension and the value of the CA flag should be set as TRUE. Otherwise, the certificate is deemed to be an end-entity certificate and not a CA certificate. During SSL handshake, if a server certificate chain uses a root CA certificate that does not have this extension set correctly, the handshake can fail at the client end with the above mentioned error message. To resolve the issue, contact the CA who issued the certificate and get the server certificate chain corrected. Another potential workaround is to use the IbmPKIX trustmanager instead of IbmX509 trustmanager at the client end. The trustmanager is set in java.security file using the property "ssl.TrustManagerFactory.algorithm"

[{"Product":{"code":"SSWKFH","label":"Tivoli Components - Java Security"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"JSSE","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"2.1;1.0","Edition":"","Line of Business":{"code":"","label":""}}]

Product Synonym

IBM JSSE2

Document Information

Modified date:
16 June 2018

UID

swg21456835