z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


IKYS019I

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

IKYS019I
The CA certificate does not have path length constraint capabilities

Explanation

The EnablePathLenConstraint keyword was specified in the pkiserv.conf configuration file, but the PKI Services CA certificate does not meet the requirements for establishing path length constraint. One or more of the following conditions is true for the CA certificate:
  • The key usage extension is present, but the keyCertSign bit is not set.
  • The basic constraints extension is absent.
  • The basic constraints extension is not set correctly in at least one of the following ways:
    • It is not marked critical.
    • The value of cA is not true.
    • The value of pathLenConstraint is not in the range 0 - 16.

System action

PKI Services stops.

System programmer response

Either choose another CA certificate that has the appropriate basic constraints extension, or turn off the EnablePathLenConstraint keyword in pkiserv.conf. For more information about the EnablePathLenConstraint keyword, see (Optional) Steps for updating the configuration file.
Parent topic: Messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014