protocol7 archive
29 June 2008

Basic Constraints on WebSphere MQ CA certificates

This is a follow-up on my previous post on creating certificates for WebSphere MQ.

In one of my customers environment we began having troubles connecting to SSL secured WMQ channels as we upgraded the WebSphere Message Broker Toolkit to version 6.1. After opening a ticket with IBM and getting quite a few groups within Big Blue involved, it turned out that starting with the IBM Java 1.5 JRE, they have added a validation on Basic Constraints for CA certificates. WMB 6.1 ships with Java 1.5. The scripts I published in my last post does not set this attribute. As far as I’ve been able to find, there is no workaround besides recreating your CA certificate, which means re-signing all your keys. This annoys me, but given that the requirement for setting the Basic Constraints has been in the RFC since before dawn, the blame is pretty much my own.  Basic Constraints                                            
   The basic constraints extension identifies whether the subject of the
   certificate is a CA and the maximum depth of valid certification    
   paths that include this certificate.                                
The cA boolean indicates whether the certified public key belongs to   
   a CA.  If the cA boolean is not asserted, then the keyCertSign bit in
   the key usage extension MUST NOT be asserted.                       
This extension MUST appear as a critical extension in all CA           
   certificates that contain public keys used to validate digital      
   signatures on certificates. 

Anyways, the script is now updated. The required change is to add the argument “-ca true” when creating the CA certificate.
If you have any further suggestions to improve the scripts, please contact me and I’ll make sure to upgrade them.

tags: ca - certificate - websphere - wmq