Try turning on ssl debug in the server to see the contents of the
certificates that it received
from IE.

-Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true


"BlackSnail" wrote in message
> Hi,
> I have configured one-way SSL on WLS8.1(evaluation version) successfully.
> All the certificates and private key are imported to JKS keystore.
> I use our own CA to generate certificates file,key file and PKCS12 file.
> I should point out I also use these files on IIS and Apache and I can
> establish two-way SSL successfully.
> But when I entered into two-way configuration,I failed again and again.
> When start server and input https://...:7002 in IE,the log shows:
> <2003-7-14 16:39:10> > ate chain received from DONE - contained a V3 CA certificate
> which
> did not indicate it really is a CA.>
> I copied the explanation of BEA-090549 at the end of this post.I think it
> means certificate chain's
> basic constraints is wrong. My CA certificate's basic constraints is :
> Subject Type=CA
> Path Length Constraint=1
> I think this is correct.I use utils.ValidateCertChain to check my keystore
> and it is valid certificate chain.
> Who can tell me what's wrong with it and how to resolve it?
> Or if you have configured two-way SSL successfully,can you send me your

> certificates?
> I attach all my certificates and key files.If you have time and you are
> willing to do me a favor,
> you can test them on your WLS.
> Any help will be appreciated.
> newcacert.der -- CA certificate
> MyTrust.jks -- JKS keystore which contains newcacert.der
> TONGWLS8.key -- WLS's private key
> MyPrivateKey.jks -- JKS keystore which contains TONGWLS8.key
> TONGWLS_nobc.crt -- WLS's certificate
> MONDAYnew.p12 -- Browser's certificate and private key
> all the passphrase or password of keystore and private key are the
> same:"123456".
> My EmailAddress is :
> Thank you in advance.

************************************************** **************************
> *******************
> BEA-090549
> Warning: The certificate chain received from peer contained a V3 CA
> certificate which did not indicate it really is a CA.
> Description
> The certificate chain received from peer contained a V3 CA certificate

> contained an invalid basic constraints extension. The extension did not
> indicate it was a CA certificate.
> Cause
> The certificate chain received by the peer contained a V3 CA certificate
> which contained a basic constraints extension which was not marked as

> a CA. This is rejected by the basic constraints checking for strong and
> strict, which protects against a specific certificate chain attack on SSL.
> Action
> The peer certificate chain needs to be looked at carefully to determine
> which CA is not correct. If the certificate chain really is from a valid
> peer, you should look at updating the peer certificate chain with valid CA
> certificates. If this is not possible, you can disable the basic

> checking to allow the certificate chain to be accepted and allows this
> vulnerability to be exploited.