SUSE Support

Here When You Need Us

X509 certificate is missing missing basic constraints for a CA when starting libvirtd

This document (000019820) is provided subject to the disclaimer at the end of this document.


SUSE Linux Enterprise Server 15 SP2


When trying to start libvirtd with tls enabled as outlined here:

Using command gensslcert as shown here:

Produces an error message in "journalctl -xe -u libvirtd"

libvirtd[30638]: The certificate /etc/pki/CA/cacert.pem is missing basic constraints for a CA


This issue is solved in apache2-2.4.43-3.17.1 or higher.
If it is not possible to update the server, please contact Support for assistance applying a temporary fix.


The script /usr/bin/gensslcertgensslcert is not adding extensions to set constrain to CA:true:

x509_extensions = v3_ca
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
basicConstraints = critical,CA:true


This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000019820
  • Creation Date: 16-Feb-2021
  • Modified Date:02-Apr-2024
    • SUSE Linux Enterprise Server
    • SUSE Linux Enterprise Server for SAP Applications

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.