Re: [Openvpn-users] Certificate does not have key usage extension

[Josh <jv...@us...>]

Hi Jan,

Here are relevant excerpts from my certificate:

Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 14 (0xe)
     Signature Algorithm: md4WithRSAEncryption

         X509v3 extensions:
             X509v3 Basic Constraints:
                 CA:FALSE
             Netscape Cert Type:
                 SSL Client, S/MIME, Object Signing
             Netscape Comment:
                 TinyCA Generated Certificate
             X509v3 Subject Key Identifier:
D9:87:59:39:23:5B:A2:75:31:78:A3:02:FB:2C:9E:78:EF:FD:67:9A
             X509v3 Authority Key Identifier:
keyid:E5:51:29:3F:91:EE:5F:44:C6:E1:7C:62:4B:EB:A3:ED:07:CF:19:BC
                 DirName:/C=....
                 serial:87:87:45:87:71:D6:AD:EA

             X509v3 Issuer Alternative Name:
                 email:.....
             X509v3 Subject Alternative Name:
                 email:usagetest
             X509v3 Key Usage:
                 Digital Signature
             X509v3 Extended Key Usage:
                 TLS Web Client Authentication

Looks pretty much like your sample.

Client log file:

TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=eb22f49d 37a01341
VERIFY OK: depth=1, C=xx, ST=..., L=..., O=..., OU=..., CN=example.org, 
emailAddress=te...@ex...
Certificate does not have key usage extension
VERIFY KU ERROR
OpenSSL: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting


Should I dump TinyCA which hasn't been maintained for many years and 
switch to some other CA?

Regards,
Josh.