protocol7 home

Basic Constraints on WebSphere MQ CA certificates

This is a follow-up on my previous post on creating certificates for WebSphere MQ.

In one of my customers environment we began having troubles connecting to SSL secured WMQ channels as we upgraded the WebSphere Message Broker Toolkit to version 6.1. After opening a ticket with IBM and getting quite a few groups within Big Blue involved, it turned out that starting with the IBM Java 1.5 JRE, they have added a validation on Basic Constraints for CA certificates. WMB 6.1 ships with Java 1.5. The scripts I published in my last post does not set this attribute. As far as I’ve been able to find, there is no workaround besides recreating your CA certificate, which means re-signing all your keys. This annoys me, but given that the requirement for setting the Basic Constraints has been in the RFC since before dawn, the blame is pretty much my own.

4.2.1.10 Basic Constraints

The basic constraints extension identifies whether the subject of the
certificate is a CA and the maximum depth of valid certification
paths that include this certificate.

The cA boolean indicates whether the certified public key belongs to
a CA. If the cA boolean is not asserted, then the keyCertSign bit in
the key usage extension MUST NOT be asserted.

This extension MUST appear as a critical extension in all CA
certificates that contain public keys used to validate digital
signatures on certificates.

Anyways, the script is now updated. The required change is to add the argument -ca true when creating the CA certificate.
If you have any further suggestions to improve the scripts, please contact me and I’ll make sure to upgrade them.

Tags: , , , . No Comments »

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Creative Commons Attribution 3.0 licensed unless otherwise specified.