Entrust Certificate Services Support Knowledge Base

Audience: General
Last Modified: 2009-08-31 10:14:03.0

TN 7875 - Basic Constraints and Entrust Certificates

Problem: You have received an error message that your certificate is missing the field "Basic Constraints".

 

Solution: Implement the Entrust 2048 bit chain certificate on the server.

 

The Entrust 2048 bit root certificate (Entrust.net Certification Authority (2048)) does not contain the field for Basic Constraints.

 

The Basic Constraints extension is used in path validation for end user certificates. Basic Constraints includes two important pieces of information:

1. Is the certificate a CA certificate?

2. The number of CA certificates that are allowed in the chain below the root. 

This helps the relying party software (the browser) to validate the chain. If there is no Basic Constraints, it can be assumed that the certificate is an end entity certificate. If the Basic Constraints field is set to CA=false, then it is an end entity certificate and cannot be used to sign other certificates.

 

In the days of X.509v1, the Basic Constraints extension was not required for CA certificates. There are many X.509v1 roots available in Windows, none of which use the Basic Constraints extension. Our 2048 root does not contain the Basic Constraints extension field. This does not cause problems with most popular browsers and servers, although there are a few out there that will check for this field. This has been the case mainly with IBM Websphere and BEA Weblogic servers. 

 

Entrust has re-issued the 2048 root to include the Basic Constraints extension. If you are getting an error regarding the Basic Constraints, this means that your certificate was issued using the older version of our 2048 root. In this particular case, you can change your certification path so that your certificate is chained through our 1024 bit root. This root does include the Basic Constraints field. Once this is added to your certification path, it will become the root rather than using the 2048 bit root. 

 

The original certification path to the Entrust 2048 root looks like this:

 

->SSL Certificate (Webserver certificate)

    ->L1B Intermediate

        ->2048 Root

 

When implementing the 2048 to 1024 chain, create the following certification path on the server:

->SSL Certificate (Webserver certificate)

    ->L1B Intermediate

        ->Entrust 2048 Chain

            ->1024 Root

 

To implement this certification path:

 

1 - Install the L1B Chain certificate as an intermediate certificate, if this has not already been done.

2 - Install the Entrust 2048 Chain on the server as an intermediate certificate. 

3 - Ensure that the Entrust 1024 bit root certificate is installed. 

4 - Remove the 2048 bit root from the server's certificate store. If this certificate is still in the certificate store on the server, it may choose this certificate (which is the certificate causing the problem with the Basic Constraints extension). It will use this certificate since it has the shortest path (it only has 3 levels). By removing this certificate, you will ensure that the server is using the correct certification path.

If your server is in communication with another server, you must implement the same certificate chaining on both sides. Check the certificate store on the other server to make sure that the correct roots and chains have been installed and removed.

 

All of the appropriate chains and roots can be accessed through the Entrust root download page:

http://www.entrust.net/developer/index.cfm.