How to deal with “RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)” problem

If you see [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) in you apache error.log file means you have created a cert that is intended to be used to sign other certs, but you're using that cert as your SSL cert. So, it depends how you create the SSL cert.

But how can we solve this problem?!

1. Generate private key and certificate signing request

openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
openssl rsa -passin pass:x -in server.pass.key -out server.key
rm server.pass.key
openssl req -new -key server.key -out server.csr

Note: when the openssl req command asks for a “challenge password”, just press return, leaving the password empty.

2. Generate SSL certificate

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

8 thoughts on “How to deal with “RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)” problem”

  1. Hi, I hope you can help me
    I’ve have 3 certificate files: > it’s coded with Let’s Encrypt1#0!ULet’s Encrypt Authority X30 > —-BEGIN RSA PRIVATE KEY—– > also coded

    Which files do I have to use to solve the (BasicConstraints: CA == TRUE !?)” problem?
    server.pass.key = ?
    server.key = ?

  2. Hi, last question
    When I fixed the CA==TRUE problem. Which files do I add to Apache 2.2 sni.conf
    SSLCertificateFile “”
    SSLCertificateKeyFile “”
    SSLCertificateChainFile “”
    SSLCACertificateFile “”

    THX for you….

    1. In case anyone else comes across this, i solved my issue with these settings in apache virtualhost ssl config file –

      SSLCertificateFile “C:/path-to-file/server.crt”
      SSLCertificateKeyFile “C:/path-to-file/server.key”
      SSLCertificateChainFile “C:/path-to-file/server.csr”

Leave a Reply

Your email address will not be published. Required fields are marked *