Ensuring a certificate contains the Basic Constraints extension

When using TLS to encrypt traffic on the IBM® Sametime® Community Server, the Community Server presents its certificate during a TLS handshake to any Sametime server application connecting to the server. To allow the server application to verify the validity of the signer of the Sametime Community Server's certificate as part of the TLS handshake, the signer's certificate must be present in the trust store used by the server applications. Ensure that the certificate belonging to the server certificate signer contains the Basic Constraints extension with the cA flag set to TRUE.

About this task

Best practices dictate that the signer's certificate contain the optional Basic Constraints extension with the cA flag set to TRUE. This extension indicates that the owner of the certificate is a certificate authority. If the extension is not part of the signer's certificate, add the ST_TLS_TRUST_MANAGER_FACTORY_ALGORITHM flag to the [Config] section of the sametime.ini file on the Sametime Community Server. Setting this flag allows all server applications to connect to the Sametime Community Server. Complete these steps to add that flag.


  1. On the Sametime Community Server, open the sametime.ini file in a text editor.

    By default the sametime.ini file is located in the Sametime Community Server installation folder. For example,


  2. In the [Config] section of the sametime.ini file, add this entry:


  3. Save and close the file.