How to deal with "RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)" problem

Publicat la 4 January 2014 Scrie si tu o vorbulita (14) Comentarii

If you see [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) in you apache error.log file means you have created a cert that is intended to be used to sign other certs, but you're using that cert as your SSL cert. So, it depends how you create the SSL cert.

But how can we solve this problem?!

1. Generate private key and certificate signing request

[codesyntax lang="bash"]

openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
openssl rsa -passin pass:x -in server.pass.key -out server.key
rm server.pass.key
openssl req -new -key server.key -out server.csr

[/codesyntax]

Note: when the openssl req command asks for a “challenge password”, just press return, leaving the password empty.

2. Generate SSL certificate

[codesyntax lang="bash"]

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

[/codesyntax]

Network, Tips & Tricks, , , , ,
  2. Edgar Conrado 27 March 2015 at 20:48

    Thanks for your help, it was very helpful

    Reply
  3. Elisabetta 31 March 2015 at 00:07

    Thanks for your help, I have finally resolve my problem.

    Reply
  4. Stephen Hawkins 23 September 2016 at 17:22

    Didnt work

    Reply
  5. Tim Williams 14 March 2017 at 12:43

    This made no difference, I still have the same error.

    Reply
  6. Rolf 20 April 2017 at 19:43

    Hi, I hope you can help me
    I've have 3 certificate files:
    trimsalonbunny.nl.crt > it's coded with Let's Encrypt1#0!ULet's Encrypt Authority X30
    trimsalonbunny.nl.pem > ----BEGIN RSA PRIVATE KEY-----
    trimsalonbunny.nl.pfx > also coded

    Which files do I have to use to solve the (BasicConstraints: CA == TRUE !?)” problem?
    server.pass.key = ?
    server.key = ?

    Reply
  7. Rolf 20 April 2017 at 19:48

    Hi, last question
    When I fixed the CA==TRUE problem. Which files do I add to Apache 2.2 sni.conf
    SSLCertificateFile "trimsalonbunny.nl.?"
    SSLCertificateKeyFile "trimsalonbunny.nl.?"
    SSLCertificateChainFile "trimsalonbunny.nl.?"
    SSLCACertificateFile "trimsalonbunny.nl.?"

    THX for you....

    Reply
    • Dave 16 August 2017 at 21:03

      In case anyone else comes across this, i solved my issue with these settings in apache virtualhost ssl config file -

      SSLCertificateFile "C:/path-to-file/server.crt"
      SSLCertificateKeyFile "C:/path-to-file/server.key"
      SSLCertificateChainFile "C:/path-to-file/server.csr"

      Reply
  8. William 18 February 2018 at 06:39

    Thanks you very much JONAS, I solve this warn

    Reply
  9. bangaiptop 2 March 2018 at 11:20

    Thanks a lot! Very helpful stuff.
    We had two warns on the error log:
    [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [warn] RSA server certificate CommonName (CN) `l0035' does NOT match server name!?

    Solved all after the first one taken care of. So thank you.

    Reply
  10. luca 10 September 2018 at 10:36

    work only in chrome , no in FF or IE

    Reply
  11. Rick 28 December 2018 at 23:22

    The second command didn't work for me but I noticed that the openssl genrsa command required a pass of 4 characters or more. I edited the commands to use pass:xxxx where appropriate. Worked great.

    Reply
  12. Martin 4 June 2019 at 15:43

    Thanks. Really helpful!

    Reply
  13. Craig Chapman 30 June 2019 at 10:37

    Thank you!
    Should you also remove the signing request file?

    Reply

Scrie si tu o vorbulita


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.