> Is there any other way for a temp workaround to enforce CA constraint? > Maybe I could place only my ca in cacerts? If you only have a single trusted CA installed, this definitely implies a CA constraint policy, allowing you to remove the rightca option. Regards Martin