Common error messages
To be discussed, extended, corrected. Currently only Java implementation's messages. Each error message consists of: error code (string, to be processed by the software), message (string, human readable), category (a coarse grained identifier of the error's class) and position (integer, position in chain which caused the error or -1 if the whole chain is affected). Sometimes errors require a dynamic parameters.
Below is the list of codes and corresponding messages. For each code also the category is defined (using the convention code.category=CATEGORY_NAME). Dynamic parameters
are marked as '{NUMBER}' and should be self-explanatory.
#
# Generic errors
#
unknown=Unknown error
unknown.category=OTHER
unknownMsg={0}
unknownMsg.category=OTHER
inputError=Input certificate chain processing error: {0}
inputError.category=GENERAL_INPUT
#
# Namespace related errors
#
nsUndefinedAndRequired=Namespace definition for the certificate issuer ({0}) is not defined, and namespaces are configured to be required.
nsUndefinedAndRequired.category=NAMESPACE
nsDeny=The certificate subject {0} is denied by the namespace policy: {1}
nsDeny.category=NAMESPACE
nsNotAccepted=The certificate subject {0} is not accepted by any rule of the the relevant namespace policies. Policies which matches the issuer are: {1}
nsNotAccepted.category=NAMESPACE
#
# Proxy certificate specific errors
#
proxyEECInChain=Certificate issued by an end-entity certificate or a proxy certificate is not a proxy proxy certificate.
proxyEECInChain.category=INCONSISTENT_PROXY_CHAIN
proxyLength=At the current position the proxy certificates chain exceeded its length limit.
proxyLength.category=INCONSISTENT_PROXY_CHAIN
proxyNoIssuer=Issuing end entity certificate was not found in the chain with proxy certificates.
proxyNoIssuer.category=INCONSISTENT_PROXY_CHAIN
proxyCASet=Proxy certificate has the cA field set
proxyCASet.category=INVALID_PROXY_CERT
proxyIssuerAltNameSet=Proxy certificate has the IssuerAlternativeName set
proxyIssuerAltNameSet.category=INVALID_PROXY_CERT
proxySubjectAltNameSet=Proxy certificate has the SubjectAlternativeName set
proxySubjectAltNameSet.category=INVALID_PROXY_CERT
proxyIssuedByCa=Proxy certificate issuer has the cA field set
proxyIssuedByCa.category=INCONSISTENT_PROXY_CHAIN
proxyNoIssuerSubject=Proxy certificate issuer has no Subject field set
proxyNoIssuerSubject.category=INVALID_PROXY_CERT
proxySubjectInconsistent=Proxy certificate issuer field is different than the issuing certificate subject field set.
proxySubjectInconsistent.category=INCONSISTENT_PROXY_CHAIN
proxyIssuerNoDsig=Proxy certificate issuer has no digital signature creation right
proxyIssuerNoDsig.category=INCONSISTENT_PROXY_CHAIN
proxySubjectOneRDN=The proxy certificate subject name has less then two elements
proxySubjectOneRDN.category=INVALID_PROXY_CERT
proxySubjectMultiLastRDN=The last RDN in proxy subject name is multivalued
proxySubjectMultiLastRDN.category=INVALID_PROXY_CERT
proxySubjectLastRDNNotCN=The last RDN in proxy subject name is not a CN
proxySubjectLastRDNNotCN.category=INVALID_PROXY_CERT
proxySubjectBaseWrong=The proxy subject without its last CN component is not equal to its issuer name
proxySubjectBaseWrong.category=INVALID_PROXY_CERT
#
# Regular X.509 path validation errors
#
noIssuerPublicKey=Trusted issuer of this certificate was not established
noIssuerPublicKey.category=X509_CHAIN
noBasicConstraints=The selected CA certificate does not contain the mandatory Basic Constraints extension
noBasicConstraints.category=X509_BASIC
pathLenghtExtended=Total chain length exceeds the limit
pathLenghtExtended.category=X509_CHAIN
conflictingTrustAnchors=More then one trusted CA certificate was found for the certificate chain
conflictingTrustAnchors.category=X509_CHAIN
noTrustAnchorFound=No trusted CA certificate was found for the certificate chain
noTrustAnchorFound.category=X509_CHAIN
trustButInvalidCert=CA certificate was found for the certificate chain but the initial certificate in chain is not issued (correctly signed) by the CA certificate
trustButInvalidCert.category=X509_CHAIN
signatureNotVerified=Unable to verify signature of certificates in the chain: {0}
signatureNotVerified.category=X509_BASIC
certificateNotYetValid=Certificate is not yet valid. Will be from: {0}
certificateNotYetValid.category=X509_BASIC
certificateExpired=Certificate has expired at: {0}
certificateExpired.category=X509_BASIC
noCACert=CA certificate was not found for the chain
noCACert.category=X509_CHAIN
noCertSign=Issuer of the certificate is not eligible to sign certificates as its certificate has no keyCertSign flag set in its KeyUsage extension.
noCertSign.category=X509_CHAIN
unknownCriticalExt=Unknown critical extension was found: {0}
unknownCriticalExt.category=X509_BASIC
certRevoked=Certificate was revoked at: {0}, the reason reported is: {1}
certRevoked.category=CRL
noBaseCRL=Base CRL for the delta CRL was not found
noBaseCRL.category=CRL
noValidCrlFound=No valid CRL was found for the CA which issued the chain
noValidCrlFound.category=CRL
For those errors, the human friendly messages were not yet prepared. Those errors should be rare. It will be improved over time, help is welcome!
certPathCheckerError
certPathValidDate
certWrongIssuer
criticalExtensionError
crlAuthInfoAccError
crlBCExtError
crlDistPoint
crlDistPtExtError
crlExtractionError
crlIssuerException
crlNbrExtError
crlNoIssuerPublicKey
crlOnlyAttrCert
crlOnlyCaCert
crlOnlyUserCert
crlReasonExtError
crlUpdateAvailable
crlVerifyFailed
deltaCrlExtError
distrPtExtError
emptyCertPath
errorProcesingBC
excludedDN
excludedEmail
excludedIP
explicitPolicy
invalidPolicy
invalidPolicyMapping
loadCrlDistPointError
localInvalidCRL
localValidCRL
ncExtError
ncSubjectNameError
noCrlInCertstore
noCrlSigningPermited
notPermittedDN
notPermittedEmail
notPermittedIP
notRevoked
noValidPolicyTree
ocspLocation
onlineCRLWrongCA
onlineInvalidCRL
onlineValidCRL
policyConstExtError
policyExtError
policyInhibitExtError
policyMapExtError
policyQualifierError
processLengthConstError
pubKeyError
QcEuCompliance
QcLimitValueAlpha
QcLimitValueNum
QcSSCD
QcStatementExtError
QcUnknownStatement
revokedAfterValidation
rootKeyIsValidButNotATrustAnchor
signatureNotVerified
subjAltNameExtError
totalPathLength
trustAnchorIssuerError
trustDNInvalid
trustPubKeyError
unknown
--
KrzysztofBenedyczak - 17-Oct-2011
Topic revision: r3 - 2011-11-13
- unknown