000025931 - KCA error issuing SSL client & server certificates with Internet Explorer

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025931
Applies ToKeon Certificate Authority 6.5.1
Microsoft Windows 2000 Server SP4
IssueKCA error issuing SSL client & server certificates with Internet Explorer
Error: "This certificate authority does not appear to be allowed to issue certificates, or cannot be used as an end entity for certificates." in Web browser when viewing the Intermediate Certificate Authority in a certificate chain
CauseMicrosoft reported a Certificate validation vulnerability in which a user is able to perform identity spoofing and, in some cases, they will have the ability to gain control over a user's system. This issue is resolved in Microsoft hot fix Q329115, and can be installed by itself as a critical update on the following Operating Systems:

Windows 98, 98 Second Edition
Windows ME
Windows NT 4.0 (All Versions)
Windows 2000
Windows XP and Windows XP 64-bit Edition
Microsoft Office
Microsoft Office 98,2001 and v.X for Macintosh
Internet Explorer for Macintosh versions 8.1 through 9.x and OS X
Microsoft Outlook Express for Macintosh 5.0.6

Hot fix Q329115 is also included in the following Service Packs:

Windows 2000 Service Pack 3
Windows XP Service Pack 1

More information on this issue can be found on Microsoft's TechNet at the following URL:

The Intermediate Certificate Authority (Sub CA) is not a legitimate certificate issuer because it is a V1 certificate and does not contain a "Basic Constraints" attribute that identifies it as a CA
ResolutionTo correct this issue, ensure that the jurisdiction that signs the Intermediate Certificate Authority (Sub CA) has an extension profile that allows either the "Custom CA" or "Basic PKIX-Compliant CA" extensions. From the CA operations workbench for the Intermediate Certification Authority, re-sign the Sub CA using the modified Root CA jurisdiction. When prompted, select "specify a new set of Extensions" and choose a CA certificate profile. Lastly, ensure that the "Basic Constraints" attribute is selected, and set an appropriate path length for this CA.

You will have to trust this new Intermediate Certificate Authority in the browser. Use the MMC snap-in tool for certificates to remove the old Intermediate Certificate Authority. From the CA operations workbench, download and install the new Sub CA certificate to trust it.
WorkaroundCreated a new Intermediate Certificate Authority
Legacy Article IDa20828