XCA does create malformed certificates under some circumstances:
When creating a certificate with XCA and selecting
"Authority Key Identifier" it takes the values from an other
than the signing certificate.
This results to invalid certificates !!
All versions of xca from 0.4.0 to 0.4.2 are affected.
The 0.3 series is not affected.
Dumb implemetations like IE do easily ignore it, but
others like CISCO VPN routers or Mozilla do
reject such malformed certificates.
A new Version solving this problem will be out soon.
Please kindly excuse any inconvenience.