insatlled a new entrust exchange intermediate cert on two VPN code version 7.1r41. I then tried to install on a 7.3r3 code. I am getting the above error no matter what I do. I keep recovering the cert chains from importing system config and then deleteing more of the chain. I deleted entire entrust cert chain and reimported it.
I do get a warning on 7.1r41 code may be invalid but it works. My not be valid CA cert
I think I found answer in Forums
One error that we've noticed when re-importing the CA certificate that may have something to do with it:
"ERR23036 Invalid certificate purpose on \'O=xxxx OU=xxxx, CN=xxxxx\"
This issue was determined to be we did not have Basic Constraints:CA:TRUE in our CA. However after doing that it still was not working.
After a long battle I ended up rolling back to 7.1 R1.1 and then upgrading back to 7.1 R2 with the new CA and NOW everything is working.
The unfortunate part is no where in any documentation on the R2 upgrade does it say this CA requirement for basic constraints was added.
Message 24 of 37(623 Views)
it indeed seems that our certificate is no longer working because we miss "Basic Constraits".
Now the question : Do we really need to re-issue our certificate and thereby have to replace all our client certificates aswell ? This would mean a lot of unneccessary work for us. Or is there an other way ?
glad to hear you are working successfully now. yes, the restriction came in but was not release noted immediately until testing was found at other sites that RFC enforcement changes caused this behavior.
Entrust does not want to set intermediate to trusted or true. Is there plans to once again allow on newer code? I have Error and it allowed for now. We are going to upgrade and it will fail. I have 2 years to get answer
I have 7.1r41 code and it allowed for now