Gskkyman is case sensitive for issuer name etc. while most other
implementations are case INsensitive.  For the good reason that the world
is filled with wrong-case names.  The RFC standard allows both, and lots of
certificates that work otherwise will fail for Gskkyman until the case is
fixed to be an exact match.  Guessing you have run into this.

On Thu, Sep 8, 2022 at 8:52 AM Phil Smith III <li...@akphs.com> wrote:

> I'm getting this trying to use a self-signed certificate. I put it into
> gskkyman and when I try to connect (outbound from z/OS) I get
>
> Certificate validation error
>
> from GSK_SECURE_SOCKET_INIT. Running a gsktrace shows:
> 09/07/2022-17:30:14 Thd-1 ERROR check_cert_extensions_3280_and_later():
> Basic Constraints extension must be critical for CA Certificate
>
> 09/07/2022-17:30:14 Thd-1 EXIT check_cert_extensions_3280_and_later(): <---
> Exit status 0x03353071 (53817457)
>
> 09/07/2022-17:30:14 Thd-1 ERROR validate_certificate_basics(): Unable to
> verify certificate extensions: Error 0x03353071
>
> 09/07/2022-17:30:14 Thd-1 ERROR get_issuer_certificate(): Unable to
> validate
> CA certificate: Error 0x03353071
>
>
>
> I find nothing for that error in the doc (either the text or the error
> number). https://colinpaice.blog/2021/11/03/using-z-os-ldap-with-tls-1-3/
> discusses the error, but I don't know how to check it! Other clients work
> but that doesn't prove much-we know z/OS is more stringent about following
> the rules than many.
>
>
>
> Ideas?
>
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to