Skip to Content

Java AS refuses SSL client cert authentication with: "is not a CA certificate"

Hi all,

I'm trying to setup client certificate authentication on a Java AS 7.31 SP13.

I followed all the available online manuals, importing keys and certificates, configuring keystore in NWA and also configuring ICM.

Still, in ICM I get the following error:

[Thr 1944] SSL_get_state() returned 0x00001181 "SSLv3 read client certificate B"

[Thr 1944] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL

[Thr 1944] session uses PSE file "D:\usr\sap\PO1\J00\sec\SAPSSLS.pse"

[Thr 1944] SecudeSSL_SessionStart: SSL_accept() failed --

[Thr 1944] secude_error 9 (0x00000009) = "the verification of the client's certificate chain failed"

[Thr 1944] >> ---------- Begin of Secude-SSL Errorstack ---------- >>

[Thr 1944] ERROR in ssl3_get_client_certificate: (9/0x0009) the verification of the client's certificate chain failed

[Thr 1944] ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete

[Thr 1944] ERROR in get_path: (106/0x006a) Can't verify certificate with PKRoot: Is not a CA certificate

[Thr 1944] << ---------- End of Secude-SSL Errorstack ----------

The client certificate that I'm using is self-signed, but I've imported it as Trusted CA and also in the SSL keystores in NWA.

Also, I've updated the profile parameters for ICM:

icm/HTTPS/trust_client_with_subject

icm/HTTPS/trust_client_with_issuer


Not sure what is going on here, in particular I don't understand the "Is not a CA certificate" message.

Sorry if this is some naive question, but I'm pretty new to these topics and any help would be greatly appreciated

Could anyone please assist?

Thanks, regards

Vincenzo

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    Oct 17, 2014 at 03:11 PM
    Add comment
    10|10000 characters needed characters exceeded

    • The problem was that any x.509 v3 certificate which must act as a CA, must have an attribute "Basic Constraints" with values "CA" or "End Entity", otherwise it can't be used as CA. This requirement applies also in case of self-signed certificates.