Articles in this section

See more

The Supplied Certificate Is Not a CA

Avatar
Brent Landon
Follow

Classification: FMOS

Category: X.509 certificate usage or issue

Severity: Error

Summary

The supplied certificate is not a CA certificate.

Description

This error is reported by fmos pki import-ca when the supplied certificate cannot be used as a CA certificate.

Impact

The FMOS system CA trust store can only accept certificates that have a basicConstraints extension with the cA bit set. Any certificate issued by a certificate authority that uses a certificate without the basicConstraints extension or with the cA bit unset will not be trusted.

Cause

X.509v3 certificates can have a basicConstraints extension that can be used to indicate whether or not the certificate is valid for use as a certificate authority. If the extension is missing, the certificate is not usable as a CA certificate. If the extension is present, it must have the cA bit set in order to be usable as a CA.

Resolution

If the certificate authority uses a certificate without the basicConstraints extension or with the cA bit unset, the certificate cannot be added to the FMOS system CA trust store, and certificates issued by this CA will not be trus

Related articles

Comments

0 comments

Article is closed for comments.