Attila Fogarasi kindly replied suggesting a case problem, which I'm perfectly willing to believe but don't have any idea how to verify. Nothing LOOKS off.
Meanwhile, some more digging suggests that it may be that the error message is actually correct and clear, FSVO clear! If I run openssl x509 -in voltage-ca.crt -text -noout against that cert I see: X509v3 extensions: X509v3 Basic Constraints: CA:TRUE But other reading suggests this should be: X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE and that this is therefore an omission in creating the cert. This is an RFC 3280 <https://datatracker.ietf.org/doc/html/rfc3280#section-4.2.1.10> requirement, but I strongly suspect that it gets ignored by many stacks. I find other discussions that support this conclusion indirectly. It certainly fits with the typical IBM strict interpretation of RFCs, which is hard to argue with. I have a handful of random certs from past tinkering, and running that command against them finds most do NOT have the Basic Constraints set and/or have critical. I'm asking if we can regenerate the cert either without the Basic Constraints or with critical. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN