000018889 - How many levels of Sub-CA chaining are supported in Sentry CA 3.x?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000018889
Applies ToSentry CA 3.x
TechNote 0131
IssueHow many levels of Sub-CA chaining are supported in Sentry CA 3.x?
Have the Sub-CA chaining more than 11 levels.
When starting Sentry CA services, the following error message appears:
The secure directory server does not appear to be reachable.  Remember that you must start it before attempting to start the Web server. You will be unable to make client-authenticated connections to this server until you restart it with a running directory server.

test.xxxxx.com: error setting default verify locations:
[unable to contact directory server]
CauseSentry CA supports up to 11 chained CAs.  Exceeding this limit will result in the above error message on startup.
ResolutionDo not setup the Sub-CA chaining for more than 11 levels.

For Netscape browsers to correctly follow this chain, all intermediate CAs must have the appropriate netscape_cert_type extension for the given protocol.  So for SSL, intermediate CAs MUST have bit 5 (SSL CA) asserted (similarly, for S/MIME, intermediate CAs would need bit 6 - S/MIME CA - asserted).  The Root CA does not need this assertion.
Legacy Article IDa4075