z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


IKYC086I

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

IKYC086I
Requests for CA certificates are prohibited by path length constraint.

Explanation

The CA certificate in use has a path length constraint value of zero, which prohibits the creation of subordinate or intermediate CA certificates when the EnablePathLenContraint keyword is set to T in the pkiserv.conf file. Because the certificate request includes Certificate Authority key usage bits (keyCertSign or cRLSign, or both), it is considered to be a request for a CA certificate.

System action

The certificate request fails.

System programmer response

If this configuration was intended, restrict the requestor from requesting the keyCertSign key usage. For example, remove the keyusage list from the PKI Services web page. If this configuration was not intended, perform one of the following actions and restart PKI Services:
  • Disable path length constraint by removing the EnablePathLenConstraint keyword or setting its value to F.
  • Reconfigure PKI Services to use a CA certificate that does not constrain the path length, or that has the path length greater than zero.
Parent topic: Messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014