|Applies To||Sentry CA 3.x|
|Issue||How many levels of Sub-CA chaining are supported in Sentry CA 3.x?|
Have the Sub-CA chaining more than 11 levels.
When starting Sentry CA services, the following error message appears:
The secure directory server does not appear to be reachable. Remember that you must start it before attempting to start the Web server. You will be unable to make client-authenticated connections to this server until you restart it with a running directory server.
test.xxxxx.com: error setting default verify locations:
[unable to contact directory server]
|Cause||Sentry CA supports up to 11 chained CAs. Exceeding this limit will result in the above error message on startup.|
|Resolution||Do not setup the Sub-CA chaining for more than 11 levels.|
For Netscape browsers to correctly follow this chain, all intermediate CAs must have the appropriate netscape_cert_type extension for the given protocol. So for SSL, intermediate CAs MUST have bit 5 (SSL CA) asserted (similarly, for S/MIME, intermediate CAs would need bit 6 - S/MIME CA - asserted). The Root CA does not need this assertion.
|Legacy Article ID||a4075|