Trying to follow this. Who connects to who? (I'm not knowledgeable about ZCEE.) Is ZCEE the client (initiator of the connection) and CICS the server? If so, then CICS needs a *server* certificate and the lack of clientAuth is not the problem -- not with that certificate anyway.
If CICS is configured for client certificate authentication -- that's always a *server* option, not a configuration option at the client end -- then ZCEE has to present a certificate that proves its identity, and CICS would need access to a local trusted chain that signs that certificate. THAT certificate would need or potentially need clientAuth. And presumably CICS would check that identity against some list of permitted clients. > IF the app recognizes the extension AND the flag > is FALSE, is it REQUIRED to honor restrictions Well, for your purposes, it doesn't really matter what it is required to do, does it? Certainly it is at least permitted to do so -- otherwise what the heck would be the purpose or function of the extension? And at least apparently from your description, that is what it is doing. (And FWIW, I *think* yes, it is required to honor an extension that it understands, even if not critical.) Although I *suspect* perhaps there is some sort of confusion here over what certificate is in error, and in what way. As I tried to say earlier, the function of "critical" is to say "if you do NOT understand this extension then you are required to reject the certificate." Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Michael Babcock Sent: Monday, February 28, 2022 11:32 AM To: [email protected] Subject: Re: Certificates ,extKeyUsage and Criticality flag I know which cert has the problem. It's the CICS SITE certificate which has serverAuth only in the extKeyUsage extension. What I'm trying to understand is IF the criticality flag is false AND the app recognizes the extension is it REQUIRED to honor the restrictions of said extension (if indeed there are restrictions). From what I've read, IF the app DOES NOT recognize the extension and IF the flag is TRUE, then the app MUST reject the cert. Further, IF the app DOES NOT recognize the extension AND the flag is FALSE, then the app can IGNORE the extension. However, I cannot determine (or comprehend what I'm reading) that IF the app recognizes the extension AND the flag is FALSE, is it REQUIRED to honor restrictions (or is it simply up to the app to make a decision - honor or not). ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
