iTP Secure WebServer System Administrator's Guide (iTPWebSvr 5.1+)
Configuring for Secure Transport
iTP Secure WebServer System Administrator’s Guide—522659-001
4-26
Updating SSL and PCT Configuration
Updating SSL and PCT Configuration
Once you have generated the public/private key pair, installed the certificate, and
changed the key database file password, you must update the configuration file
httpd.stl.config with this new information and the DN you used when running the
keyadmin utility. This file is located in the /usr/tandem/webserver/conf directory.
The contents of httpd.stl.config are shown in Example 4-3
below. Refer to
Appendix A, Configuration Directives for a complete description of the directives. Brief
descriptions of them follow the example.
Issuer certificate
not CA type
The server requested client authentication and received a client
certificate chain that contains X509 version 3 certificates, but one
or more of the issuer certificates do not have CA privilege
(indicated by the issuer certificate containing the Basic
Constraints extension with the subject type set to
END_ENTITY).
Max path length
exceeded
The server requested client authentication and received a client
certificate chain that contains X509 version 3 certificates, but one
or more of the issuer certificates contain the Basic Constraints
extension with the subject type set to CA and specifying max
path length, and the maximum path length is exceeded.
Issuer can’t sign
certificates
The server requested client authentication and received a client
certificate chain that contains X509 Version 3 certificates, but one
or more of the issuer certificates contain the Key Usage extension
and indicates that the certificate does not have certificate-signing
capabilities (but is still being used to sign certificates).
Valid certificate
but with no
extensions
The server requested client authentication and received a client
certificate chain that contains X509 version 3 certificates, but one
or more of the issuer certificates contains neither the Basic
Constraints or the Key Usage extensions.
Valid certificate
but root
certificates don’t
match
The server requested client authentication and received a client
certificate chain which contains X509 version 3 certificates. The
public key contained within the root certificate of the chain
provided by the web client matches the public key from the root
certificate in the key database file, but one or more other fields
within the two certificates do not match. This condition usually
happens when the root certificate has been renewed, but either
the web client or the key database file has not been updated with
the new certificate.
Valid certificate The server requested and received a client certificate or client
certificate chain, and all previous checks have passed.
Note. If the iTP Secure WebServer finds one or more errors when validating a certificate, it
reports the first error only.