How many levels of Sub-CA chaining are supported in Sentry CA 3.x?
Originally Published: 2001-07-24
Article Number
Applies To
TechNote 0131
Issue
Have the Sub-CA chaining more than 11 levels.
When starting Sentry CA services, the following error message appears:
The secure directory server does not appear to be reachable. Remember that you must start it before attempting to start the Web server. You will be unable to make client-authenticated connections to this server until you restart it with a running directory server.
test.xxxxx.com: error setting default verify locations:
[unable to contact directory server]
Cause
Resolution
For Netscape browsers to correctly follow this chain, all intermediate CAs must have the appropriate netscape_cert_type extension for the given protocol. So for SSL, intermediate CAs MUST have bit 5 (SSL CA) asserted (similarly, for S/MIME, intermediate CAs would need bit 6 - S/MIME CA - asserted). The Root CA does not need this assertion.
Related Articles
IIS Hangs on Restart with Many Application Pools Number of Views 'The search returned too many results. The maximum allowed result set size is 200' Number of Views How many incorrect password entries are permitted before being locked out of a Luna token? Number of Views Many defunct processes (from AceClient v8.1 in radius) when running ps auxf Number of Views FIM 'Unable to process the AuthnRequest message' in RSA Federated Identity Manager Number of Views
Trending Articles
Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures RSA SecurID Software Token 5.0.2 Downloads for Microsoft Windows RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Governance & Lifecycle 8.0.0 Administrators Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory
Don't see what you're looking for?
