Attila Fogarasi kindly replied suggesting a case problem, which I'm
perfectly willing to believe but don't have any idea how to verify. Nothing
LOOKS off.
Meanwhile, some more digging suggests that it may be that the error message
is actually correct and clear, FSVO clear!
If I run
openssl x509 -in voltage-ca.crt -text -noout
against that cert I see:
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
But other reading suggests this should be:
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
and that this is therefore an omission in creating the cert. This is an RFC
3280 <https://datatracker.ietf.org/doc/html/rfc3280#section-4.2.1.10>
requirement, but I strongly suspect that it gets ignored by many stacks. I
find other discussions that support this conclusion indirectly. It certainly
fits with the typical IBM strict interpretation of RFCs, which is hard to
argue with. I have a handful of random certs from past tinkering, and
running that command against them finds most do NOT have the Basic
Constraints set and/or have critical.
I'm asking if we can regenerate the cert either without the Basic
Constraints or with critical.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
