Why I get error "Caused by: java.security.cert.CertificateException: Extension error: Certificate 2 does not have a basic constraints extension!"
Article ID: KB0092248
Updated On:
| Products | Versions |
|---|---|
| TIBCO ActiveMatrix BusinessWorks | - |
| Not Applicable | - |
Description
Resolution:
it indicates that the server's (secureftp.statestreetkc.com) root certificate does not have the "Basic Contraints" X509 v3 extension such as
X509v3 Basic Constraints: critical
CA:TRUE
Pl. find the excerpt of section 4.2.1.10 from spec (http://www.ietf.org/rfc/rfc2459.txt) below:
------rfc2459---------
4.2.1.10 Basic Constraints
The basic constraints extension identifies whether the subject of the
certificate is a CA and how deep a certification path may exist
through that CA.
The pathLenConstraint field is meaningful only if cA is set to TRUE.
In this case, it gives the maximum number of CA certificates that may
follow this certificate in a certification path. A value of zero
indicates that only an end-entity certificate may follow in the path.
Where it appears, the pathLenConstraint field MUST be greater than or
equal to zero. Where pathLenConstraint does not appear, there is no
limit to the allowed length of the certification path.
This extension MUST appear as a critical extension in all CA
certificates. This extension SHOULD NOT appear in end entity
certificates.
id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
BasicConstraints ::= SEQUENCE {
cA BOOLEAN DEFAULT FALSE,
pathLenConstraint INTEGER (0..MAX) OPTIONAL }
----------------------
This extension MUST appears in certificates that sign other leaf certificates.
it indicates that the server's (secureftp.statestreetkc.com) root certificate does not have the "Basic Contraints" X509 v3 extension such as
X509v3 Basic Constraints: critical
CA:TRUE
Pl. find the excerpt of section 4.2.1.10 from spec (http://www.ietf.org/rfc/rfc2459.txt) below:
------rfc2459---------
4.2.1.10 Basic Constraints
The basic constraints extension identifies whether the subject of the
certificate is a CA and how deep a certification path may exist
through that CA.
The pathLenConstraint field is meaningful only if cA is set to TRUE.
In this case, it gives the maximum number of CA certificates that may
follow this certificate in a certification path. A value of zero
indicates that only an end-entity certificate may follow in the path.
Where it appears, the pathLenConstraint field MUST be greater than or
equal to zero. Where pathLenConstraint does not appear, there is no
limit to the allowed length of the certification path.
This extension MUST appear as a critical extension in all CA
certificates. This extension SHOULD NOT appear in end entity
certificates.
id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
BasicConstraints ::= SEQUENCE {
cA BOOLEAN DEFAULT FALSE,
pathLenConstraint INTEGER (0..MAX) OPTIONAL }
----------------------
This extension MUST appears in certificates that sign other leaf certificates.
Issue/Introduction
Why I get error "Caused by: java.security.cert.CertificateException: Extension error: Certificate 2 does not have a basic constraints extension!"
Feedback
Yes
No
Powered by
