Home > Java, SSL, Weblogic, Websphere > Weblogic and Websphere Missing “Basic Constraints” with Entrust SSL Certificates

Weblogic and Websphere Missing “Basic Constraints” with Entrust SSL Certificates

A problem you may have come across is your Weblogic or Websphere server complaining that the Entrust SSL certificate is missing the field Basic Constraints.  It may have shown up as Java exceptions, or errors with messages about certificate chains received from a website missing the basic constraints extension.  Here are some examples:

[Security:090548]The certificate chain received from www.example.com - 10.100.10.100 contained a V3 CA certificate which was missing the basic constraints extension

It can even cause some applications to fail to deploy with the following errors:

Caused by: org.springframework.beans.factory.BeanCreationException:
Error creating bean with name 'someName' defined in class path resource [applicationContext-service.xml]:
Invocation of init method failed; nested exception is javax.xml.ws.WebServiceException: weblogic.wsee.wsdl.WsdlException:
Failed to read wsdl file from url due to -- javax.net.ssl.SSLKeyException:
[Security:090548]The certificate chain received from www.example.com - 10.100.10.100 contained a V3 CA certificate which was missing the basic constraints extension



These issues arise from a problem with the Entrust 2048 bit root certificate, which does not contain the field for Basic Constraints.  Originally the Basic Constraints extension was not required for X.509 CA certificates.  These fields are not included on some Entrust 2048 bit root certificates.  Additionally, not all clients care to check for the presence of this field, but some application servers, like Weblogic and Websphere do.  Since, Entrust has realised this could cause a problem, and have re-issued 2048 root certificate to include the Basic Constraints extension.  So, if you are getting this error, it means you are using the slightly older certificate.  But don’t worry.  There is a workaround provided by Entrust, and I will go through the steps to implement it below.


The overview of this solution is detailed on the Entrust site at http://www.entrust.net/knowledge-base/technote.cfm?tn=7875


Here are the specific steps to implement the solution.


1.  Log into the server where Weblogic / Websphere and java is installed.  In this example, we are using java outside the application server.  The same steps can be applied to bundled java.

admin@myserver:/mypath/java/jdk160_05/jre/lib/security
$ ../../bin/keytool -keystore cacerts -list
Enter keystore password: changeit
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 51 entries
...
entrust2048ca, Jan 9, 2003, trustedCertEntry,
Certificate fingerprint (MD5): BA:21:EA:20:D6:DD:DB:8F:C1:57:8B:40:AD:A1:FC:FC
...



2.  Delete entrust2048ca cert from keystore

admin@myserver:/mypath/java/jdk160_05/jre/lib/security
$ chmod 755 cacerts
admin@myserver:/mypath/java/jdk160_05/jre/lib/security
$ ../../bin/keytool -keystore cacerts -delete -alias entrust2048ca
Enter keystore password: changeit



3.  Import the certificate files from Entrust into the java keystore

admin@myserver:/mypath/java/jdk160_05/jre/lib/security
$ ../../bin/keytool -keystore cacerts -import -alias entrust_l1c_chain -file entrust_l1c.cer
Enter keystore password: changeit
$ ../../bin/keytool -keystore cacerts -import -alias entrust_2048_ssl_chain -file entrust_2048_ssl.cer
Enter keystore password: changeit
Certificate was added to keystore
admin@myserver:/mypath/java/jdk160_05/jre/lib/security
$ ../../bin/keytool -keystore cacerts -import -alias entrust_1024_ssl_ca_root -file entrust_ssl_ca.cer
Enter keystore password: changeit
Certificate already exists in keystore under alias <entrustsslca>
Do you still want to add it? [no]:  yes
Certificate was added to keystore



4. Delete entrustsslca from cert store (if one exists).

admin@myserver:/mypath/java/jdk160_05/jre/lib/security
$ ../../bin/keytool -keystore cacerts -delete -alias entrustsslca
Enter keystore password: changeit



5.  Restart the Weblogic / Websphere instances


That’s it!  You should be all set at this point, and the errors/exceptions should be gone.


Additional help on installation can be found under: http://www.entrust.net/knowledge-base/technote.cfm?tn=7869 The chain and root certificates referenced in the solution can be download from Entrust: https://www.entrust.net/downloads/root_index.cfm