Charles Mills wrote: >Where did this self-signed certificate come from? What tool generated it?
It was internally generated. That's all I know. It's a test system. >Case should not be a problem in a self-signed certificate. Technically I guess it is possible but you would almost have to do it on purpose. >I think the trace is pretty clear. I don't fully understand the big picture, but I think the trace is pretty clear as to what it is objecting to. Perhaps this is a tightened requirement in 1.3? Well, I think you're right-it's perfectly clear *once you understand the terms it uses*. This is sort of a classic software problem, eh? The "obvious" message that means nothing to you when you receive it! It's saying: * X509v3 Basic Constraints is/are set in this certificate, per RFC 3280* * But the Basic Constraints is NOT defined as Critical * This is a requirement per that RFC (odd IMHO: if it's only meaningful if you set that, then why bother?) * And yes, I think this is new as of TLS 1.3 We regenerated a new cert with Critical and it works. Hopefully this thread will help the next person who gets ERROR check_cert_extensions_3280_and_later(): Basic Constraints extension must be critical for CA Certificate ! Thanks to all for your help. This wound up sorta being a rubber duck debugging exercise, but ya got me there! ...phsiii *Not the coder's fault that "3280" makes me think of a terminal ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
