Menu
▾
▴
Re: [Openvpn-users] Certificate does not have key usage extension
|
From: Jan J. K. <ja...@ni...> - 2016-05-26 13:47:23
|
Hi Josh, On 26/05/16 15:32, Josh wrote: > Hi Jan, > > Here are relevant excerpts from my certificate: > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 14 (0xe) > Signature Algorithm: md4WithRSAEncryption > > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > Netscape Cert Type: > SSL Client, S/MIME, Object Signing > Netscape Comment: > TinyCA Generated Certificate > X509v3 Subject Key Identifier: > D9:87:59:39:23:5B:A2:75:31:78:A3:02:FB:2C:9E:78:EF:FD:67:9A > X509v3 Authority Key Identifier: > keyid:E5:51:29:3F:91:EE:5F:44:C6:E1:7C:62:4B:EB:A3:ED:07:CF:19:BC > DirName:/C=.... > serial:87:87:45:87:71:D6:AD:EA > > X509v3 Issuer Alternative Name: > email:..... > X509v3 Subject Alternative Name: > email:usagetest > X509v3 Key Usage: > Digital Signature > X509v3 Extended Key Usage: > TLS Web Client Authentication > > Looks pretty much like your sample. > > Client log file: > > TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=eb22f49d 37a01341 > VERIFY OK: depth=1, C=xx, ST=..., L=..., O=..., OU=..., CN=example.org, > emailAddress=te...@ex... > Certificate does not have key usage extension > VERIFY KU ERROR > OpenSSL: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > TLS_ERROR: BIO read tls_read_plaintext error > TLS Error: TLS object -> incoming plaintext read error > TLS Error: TLS handshake failed > SIGUSR1[soft,tls-error] received, process restarting > it's the *SERVER* certificate which is failing here: routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed check whether the server cert was built with 'serverAuth' enabled. HTH, JJK |
