BC throws an error "Extension error: Certificate 3 does not have a basic constraints extension!" when uploading a new certificate in the partner credential store or when connecting to a trading partner via https or https/ca.
Article ID: KB0092688
Updated On:
| Products | Versions |
|---|---|
| TIBCO BusinessConnect | - |
| Not Applicable | - |
Description
Description:
Description:
BC throws an error "Extension error: Certificate <number> does not have a basic constraints extension!" when uploading a new certificate in the partner credential store or when connecting to a trading partner via https or https/ca.
Environment:
TIBCO Business Connect 5.X
Operating System(s): All
Java Runtime Environment (JRE): All
Symptoms [Required for: Known Issue]
See description above
Cause:
This issue has arisen recently with customers using Entrust certificates due to a Microsoft and the USA NIST (National Institute for Standards and Technology) requirement that all new certificates use a 2048-bit key rather than a 1024-bit key. See the following articles on Entrust's website for details:
http://www.entrust.net/knowledge-base/technote.cfm?tn=7710
In the case of the certificate upload, the problem is that the certificate chain contained in the certificate file (.p7b or .cer), either
a. does not have a X509v3 root certificate with a "Basic Constraints" attribute that contains "Subject Type=CA", OR
b. does have a X509v3 root certificate with a "Basic Constraints" attribute that contains "CA=false "
In the case of a failed SSL handshake, the certificate chain presented by the server is "broken" for the same reason. The root certificate presented must conform to X509v3 standards and contain a Basic Constraint attribute with "Subject Type=CA" in it. BC will not accept an SSL handshake with a "broken" certificate anywhere in the chain presented.
Resolution:
For the certificate upload issue, you must get a revised certificate file (.p7b or .cer) that contains the correct root certificate described above. The certificate issuer should be able to provide you with this root certificate as well as instructions as to how to create the certificate file with the correct certificates in it. In the case of Entrust, see this article for details:
http://www.entrust.net/knowledge-base/technote.cfm?tn=7875
For the SSL issue, your trading partner must:
a. a full certificate chain with the correct root certificate as the last certificate in the chain, or
b. present a certificate chain with ends with an intermediate certificate that is signed by the root certificate in the BC Certificate store.
Work with your trading partner to have them configure their server to present the correct certificate as part of the SSL handshake.
Symptoms:
Cause:
Description:
BC throws an error "Extension error: Certificate <number> does not have a basic constraints extension!" when uploading a new certificate in the partner credential store or when connecting to a trading partner via https or https/ca.
Environment:
TIBCO Business Connect 5.X
Operating System(s): All
Java Runtime Environment (JRE): All
Symptoms [Required for: Known Issue]
See description above
Cause:
This issue has arisen recently with customers using Entrust certificates due to a Microsoft and the USA NIST (National Institute for Standards and Technology) requirement that all new certificates use a 2048-bit key rather than a 1024-bit key. See the following articles on Entrust's website for details:
http://www.entrust.net/knowledge-base/technote.cfm?tn=7710
In the case of the certificate upload, the problem is that the certificate chain contained in the certificate file (.p7b or .cer), either
a. does not have a X509v3 root certificate with a "Basic Constraints" attribute that contains "Subject Type=CA", OR
b. does have a X509v3 root certificate with a "Basic Constraints" attribute that contains "CA=false "
In the case of a failed SSL handshake, the certificate chain presented by the server is "broken" for the same reason. The root certificate presented must conform to X509v3 standards and contain a Basic Constraint attribute with "Subject Type=CA" in it. BC will not accept an SSL handshake with a "broken" certificate anywhere in the chain presented.
Resolution:
For the certificate upload issue, you must get a revised certificate file (.p7b or .cer) that contains the correct root certificate described above. The certificate issuer should be able to provide you with this root certificate as well as instructions as to how to create the certificate file with the correct certificates in it. In the case of Entrust, see this article for details:
http://www.entrust.net/knowledge-base/technote.cfm?tn=7875
For the SSL issue, your trading partner must:
a. a full certificate chain with the correct root certificate as the last certificate in the chain, or
b. present a certificate chain with ends with an intermediate certificate that is signed by the root certificate in the BC Certificate store.
Work with your trading partner to have them configure their server to present the correct certificate as part of the SSL handshake.
Symptoms:
Cause:
Issue/Introduction
BC throws an error "Extension error: Certificate 3 does not have a basic constraints extension!" when uploading a new certificate in the partner credential store or when connecting to a trading partner via https or https/ca.
Feedback
Yes
No
Powered by
