Going back to the first message...
I'm getting this trying to use a self-signed certificate. I put it into
gskkyman and when I try to connect (outbound from z/OS) I get
Certificate validation error
from GSK_SECURE_SOCKET_INIT. Running a gsktrace shows:
09/07/2022-17:30:14 Thd-1 ERROR check_cert_extensions_3280_and_later():
*Basic Constraints extension must be critical for CA Certificate*
For my CA with OPENSSL I have openssl-ca.cnf file with
[ req_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always ! issuer:alwaysz
*basicConstraints = critical,CA:TRUE, pathlen:0*
keyUsage = keyCertSign, digitalSignature,cRLSign
It looks like you may not have this,
On Linux I use
openssl x509 -in cs256.pem -text -noout|less
and it gives me
X509v3 extensions:
X509v3 Subject Key Identifier:
58:30:AF:55:C7:
X509v3 Authority Key Identifier:
keyid:58:30:...
*X509v3 Basic Constraints: critical CA:TRUE, pathlen:0
X509v3 Key Usage: Digital Signature,
Certificate Sign, CRL Sign*
Display your certificate, and check it.
Colin
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
