views:

515

answers:

3

I have a very strange problemen when connecting to an https url:

 [Security:090548]The certificate chain received from services.rdc.nl - 217.115.224.68 contained a V3 CA certificate which was missing the basic constraints extension

There is almost no information availible about this error code. When testing the url with OpenSSL, all certificates have the basic constraints extension. Using standard Java gives no problems.

The error occurs both on weblogic 8.1 sp5 and sp6. We provide a keystore with the root certificate.

Has anyone experienced simular problems and have a solution?

A: 

Your certificate is missing the basic constraints, which most other SSL implementations don't care.

You can disable this check,

 -Dweblogic.security.SSL.enforceConstraints=off

Or get a new certificate.

ZZ Coder
should have mentioned i already have found that solution. the certificate is from an supplier and the problems started when they renewed their server certificate
Salandur
That's weird. All commercial CA should have that constraints. Is you supplier uses their own CA?
ZZ Coder
A: 

Newer certifications from Verisign require both the root certificate and the intermediate certificate be available. Obviously JDK 1.4.2 predates those newer intermediate certificates. As the poster found, the newer certificates are renewed requiring both certs and if you are missing one it will fail. This is even a problem with weblogic 10.2.

John Liptak
+1  A: 

This is an issue with Entrust SSL certificate missing the Basic Constraints extensions. Please check out the following article for a solution: http://blog.mythictechnologies.com/2010/06/04/weblogic-and-websphere-missing-basic-constraints-with-entrust-ssl-certificates/

Sasha