Request for help with troubleshooting "p11-kit: invalid basic constraints certificate extension"

Ludwig Nussel ludwig.nussel at
Fri Aug 8 04:37:57 PDT 2014

Stef Walter schrieb:
> On 08.08.2014 13:14, Ludwig Nussel wrote:
>> Stef Walter schrieb:
>>> On 07.08.2014 17:17, grantksupport at wrote:
>>>> When I exec
>>>> /usr/sbin/update-ca-certificates -v -f
>>>> some -- NOT all! -- of my machines return a some "p11-kit: invalid
>>>> basic constraints certificate extension" messages,
>>> Could you try out the patches attached to the following bug, and let me
>>> know if it fixes the problem for you?
>> I've applied that patches to the 13.1 package:
> Does it fix the issue? Looking for someone else to test it.

In the VM I have it fixes the NULL warnings. I didn't see the error
message the original reporter had.

>> Just curious, why does the code path hit a point where it sees an
>> invalid public key?
> This line sets the type field to CKA_INVALID, but then other code still
> assumed the struct was valid without checking the type field.

That can only happen for .p11-kit files, right?


  (o_   Ludwig Nussel
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)

More information about the p11-glue mailing list