Skip to Content

Java AS refuses SSL client cert authentication with: "is not a CA certificate"

Hi all,

I'm trying to setup client certificate authentication on a Java AS 7.31 SP13.

I followed all the available online manuals, importing keys and certificates, configuring keystore in NWA and also configuring ICM.

Still, in ICM I get the following error:

[Thr 1944] SSL_get_state() returned 0x00001181 "SSLv3 read client certificate B"

[Thr 1944] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL

[Thr 1944] session uses PSE file "D:\usr\sap\PO1\J00\sec\SAPSSLS.pse"

[Thr 1944] SecudeSSL_SessionStart: SSL_accept() failed --

[Thr 1944] secude_error 9 (0x00000009) = "the verification of the client's certificate chain failed"

[Thr 1944] >> ---------- Begin of Secude-SSL Errorstack ---------- >>

[Thr 1944] ERROR in ssl3_get_client_certificate: (9/0x0009) the verification of the client's certificate chain failed

[Thr 1944] ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete

[Thr 1944] ERROR in get_path: (106/0x006a) Can't verify certificate with PKRoot: Is not a CA certificate

[Thr 1944] << ---------- End of Secude-SSL Errorstack ----------

The client certificate that I'm using is self-signed, but I've imported it as Trusted CA and also in the SSL keystores in NWA.

Also, I've updated the profile parameters for ICM:



Not sure what is going on here, in particular I don't understand the "Is not a CA certificate" message.

Sorry if this is some naive question, but I'm pretty new to these topics and any help would be greatly appreciated

Could anyone please assist?

Thanks, regards


Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    Oct 17, 2014 at 03:11 PM
    Add comment
    10|10000 characters needed characters exceeded

    • The problem was that any x.509 v3 certificate which must act as a CA, must have an attribute "Basic Constraints" with values "CA" or "End Entity", otherwise it can't be used as CA. This requirement applies also in case of self-signed certificates.