Question & Answer
Question
zOS IPSEC peer Phase1/IKE_SA negotiation fails after a new certificate was installed on one of the peer hosts. The following error is seen in the receivers IKE debug (LOCAL4) SYSLOGD output after the peer host had sent it's certificate in the certificate payload:
EZD1800I Remote security endpoint at x.x.x.x port 500 is using a digital signature for authentication but did not send its certificate in a certificate payload
Answer
The new certificate that was installed on the peer IKE host contained the basic constraints certificate extension, which is not supported in zOS IKE when the certificate is used to create digital signatures.
the issue is resolved by creating a new certificate without the basic constraints extension included
Product Synonym
ZOSCS COMMSERVER
Was this topic helpful?
Document Information
Modified date:
30 April 2019
UID
dwa1503148