Weblogic and Websphere Missing “Basic Constraints” with Entrust SSL Certificates
A problem you may have come across is your Weblogic or Websphere server complaining that the Entrust SSL certificate is missing the field Basic Constraints. It may have shown up as Java exceptions, or errors with messages about certificate chains received from a website missing the basic constraints extension. Here are some examples:
[Security:090548]The certificate chain received from www.example.com - 10.100.10.100 contained a V3 CA certificate which was missing the basic constraints extension
It can even cause some applications to fail to deploy with the following errors:
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'someName' defined in class path resource [applicationContext-service.xml]: Invocation of init method failed; nested exception is javax.xml.ws.WebServiceException: weblogic.wsee.wsdl.WsdlException: Failed to read wsdl file from url due to -- javax.net.ssl.SSLKeyException: [Security:090548]The certificate chain received from www.example.com - 10.100.10.100 contained a V3 CA certificate which was missing the basic constraints extension
These issues arise from a problem with the Entrust 2048 bit root certificate, which does not contain the field for Basic Constraints. Originally the Basic Constraints extension was not required for X.509 CA certificates. These fields are not included on some Entrust 2048 bit root certificates. Additionally, not all clients care to check for the presence of this field, but some application servers, like Weblogic and Websphere do. Since, Entrust has realised this could cause a problem, and have re-issued 2048 root certificate to include the Basic Constraints extension. So, if you are getting this error, it means you are using the slightly older certificate. But don’t worry. There is a workaround provided by Entrust, and I will go through the steps to implement it below.
The overview of this solution is detailed on the Entrust site at http://www.entrust.net/knowledge-base/technote.cfm?tn=7875
Here are the specific steps to implement the solution.
1. Log into the server where Weblogic / Websphere and java is installed. In this example, we are using java outside the application server. The same steps can be applied to bundled java.
admin@myserver:/mypath/java/jdk160_05/jre/lib/security $ ../../bin/keytool -keystore cacerts -list Enter keystore password: changeit Keystore type: JKS Keystore provider: SUN Your keystore contains 51 entries ... entrust2048ca, Jan 9, 2003, trustedCertEntry, Certificate fingerprint (MD5): BA:21:EA:20:D6:DD:DB:8F:C1:57:8B:40:AD:A1:FC:FC ...
2. Delete entrust2048ca cert from keystore
admin@myserver:/mypath/java/jdk160_05/jre/lib/security $ chmod 755 cacerts admin@myserver:/mypath/java/jdk160_05/jre/lib/security $ ../../bin/keytool -keystore cacerts -delete -alias entrust2048ca Enter keystore password: changeit
3. Import the certificate files from Entrust into the java keystore
- entrust_l1c.cer (L1C chain certificate)
- entrust_2048_ssl.cer (2048 chain certificate)
- entrust_ssl_ca.cer (1024 root certificate)
admin@myserver:/mypath/java/jdk160_05/jre/lib/security $ ../../bin/keytool -keystore cacerts -import -alias entrust_l1c_chain -file entrust_l1c.cer Enter keystore password: changeit $ ../../bin/keytool -keystore cacerts -import -alias entrust_2048_ssl_chain -file entrust_2048_ssl.cer Enter keystore password: changeit Certificate was added to keystore admin@myserver:/mypath/java/jdk160_05/jre/lib/security $ ../../bin/keytool -keystore cacerts -import -alias entrust_1024_ssl_ca_root -file entrust_ssl_ca.cer Enter keystore password: changeit Certificate already exists in keystore under alias <entrustsslca> Do you still want to add it? [no]: yes Certificate was added to keystore
4. Delete entrustsslca from cert store (if one exists).
admin@myserver:/mypath/java/jdk160_05/jre/lib/security $ ../../bin/keytool -keystore cacerts -delete -alias entrustsslca Enter keystore password: changeit
5. Restart the Weblogic / Websphere instances
That’s it! You should be all set at this point, and the errors/exceptions should be gone.
Additional help on installation can be found under: http://www.entrust.net/knowledge-base/technote.cfm?tn=7869 The chain and root certificates referenced in the solution can be download from Entrust: https://www.entrust.net/downloads/root_index.cfm
Thanks so much for posting this. My WebLogic 10 application just got hit with this when attempting to connect to a new service. Everything above is nicely laid out, step by step.
Awsome.. Thanks…. BTW your picture looks a little faded.
Hi I am getting following error after adding a server certificate to cacerts in the weblogic please help me to resolve this problem.
The certificate chain received from xxxxx.com – 72.xx.xx.xxx contained a V3 CA certificate which indicated a certificate chain path length in the basic constraints that was exceeded.