[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS/SSL problem - unsupported certificate purpose

To: Jean-Claude <jc.divers@gmail.com>
Subject: Re: TLS/SSL problem - unsupported certificate purpose
From: Philip Guenther <guenther+ldapsoft@sendmail.com>
Date: Tue, 24 Apr 2007 13:28:30 -0600
Cc: openldap-software@openldap.org
In-reply-to: <20070424193012.4df06d2b@debian1.aygalenq.dom>
References: <20070424193012.4df06d2b@debian1.aygalenq.dom>

On Tue, 24 Apr 2007, Jean-Claude wrote:
...

With SSL, I check all my certificates (Root CA and LDAP certificate) and
renew all of them, successless.
Always the same error message.

Althought all seems OK about certificates.

# openssl x509 -in LDAPserver-cert.pem -text -noout

...

           Netscape Cert Type:
               Object Signing

The certificate has a "Netscape Cert Type" field, but that field doesn't include the "SSL Server" flag. Your certificate creation setup needs to be corrected and a new certificate created. To quote the "X509 CERTIFICATE EXTENSIONS" part of the openssl(1) manpage:

     SSL Server
           The extended key usage extension must be absent or include the
	   "web server authentication" and/or one of the SGC OIDs.
           keyUsage must be absent or it must have the digitalSignature
           set, the keyEncipherment set, or both bits set.  Netscape
           certificate type must be absent or have the SSL server bit set.


Philip Guenther
Sendmail, Inc.

Follow-Ups:
- Re: TLS/SSL problem - unsupported certificate purpose
  - From: Jean-Claude <jc.divers@gmail.com>

References:
- TLS/SSL problem - unsupported certificate purpose
  - From: Jean-Claude <jc.divers@gmail.com>

Prev by Date: TLS/SSL problem - unsupported certificate purpose
Next by Date: Pcache overlay bug or undocumented "feature"?
Index(es):
- Chronological
- Thread