Category: X.509 certificate usage or issue
The supplied CA chain includes an invalid CA certificate.
This error is reported by fmos pki import-server-cert or fmos pki import-cpl-cert when the supplied CA trust chain file includes an invalid CA Certificate.
If an invalid CA certificate is included in the CA trust chain, it will not be usable to build the chain of trust for the server certificate. If clients cannot build a chain of trust from the server certificate to a trusted root CA, they will refuse to communicate with the server.
All of the certificates included in the CA trust chain file must be valid CA certificates. CA certificates have special requirements regarding which properties must be set and the value of some attributes. If these requirements are not met, the certificates are considered invalid.
While there are many issues that can cause an intermediate CA certificate to be considered invalid, some of the most common are
The certificate does not have a basicConstraints extension or the cA component of the basicConstraints extension is not set to true
The certificate is in legacy X.509 v1 format
The subject or issuer field of the certificate is empty
When an invalid CA certificate is encountered, it cannot be used. The only resolution is to obtain a new or updated certificate from the certificate authority.