Impact

If an invalid CA certificate is included in the CA trust chain, it will not be usable to build the chain of trust for the server certificate. If clients cannot build a chain of trust from the server certificate to a trusted root CA, they will refuse to communicate with the server.

Cause

All of the certificates included in the CA trust chain file must be valid CA certificates. CA certificates have special requirements regarding which properties must be set and the value of some attributes. If these requirements are not met, the certificates are considered invalid.

While there are many issues that can cause an intermediate CA certificate to be considered invalid, some of the most common are

• The certificate does not have a basicConstraints extension or the cA component of the basicConstraints extension is not set to true

• The certificate is in legacy X.509 v1 format

• The subject or issuer field of the certificate is empty