On 5/23/23 10:13, James H. H. Lampert wrote:
On 5/23/23 8:31 AM, Christopher Schultz wrote:
Can you dump the whole cert (e.g. keytool -list -v -alias 'certname')
for each cert and see if any of the certificates specify a maximum
chain length somewhere? Evidently, it's an extension to the X.509 spec:
Comparing one that worked with one that blew up, they have the same
values for all of the "basic constraints" sections: the site cert shows
BasicConstraints:[
CA:false
PathLen: undefined
]
the intermediate cert shows
BasicConstraints:[
CA:true
PathLen:0
]
Does pathLen:0 mean "no limit" or "no go"?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org