Re: TLS/SSL problem - unsupported certificate purpose

25 Apr 2007


      Philip Guenther guenther+ldapsoft@sendmail.com wrote:
...
...
# openssl x509 -in LDAPserver-cert.pem -text -noout
...
...
       Netscape Cert Type:
           Object Signing

The certificate has a "Netscape Cert Type" field, but that field doesn't 
include the "SSL Server" flag.  Your certificate creation setup needs to 
be corrected and a new certificate created.  To quote the "X509 
CERTIFICATE EXTENSIONS" part of the openssl(1) manpage:
  SSL Server
        The extended key usage extension must be absent or include the
  "web server authentication" and/or one of the SGC OIDs.
        keyUsage must be absent or it must have the digitalSignature
        set, the keyEncipherment set, or both bits set.  Netscape
        certificate type must be absent or have the SSL server bit set.


Philip Guenther
Sendmail, Inc.
Thank you Philippe for the answer.
You was right.
That was the problem.
I corrected this point, renew my LDAP certifcate and there's no more error
message.
I had to test deeply now, but I am optimistic
I can't remember if i adjusted this parameter a year ago with my old Debian
sarge, but obviously I would had to.
Again, many thanks.
-- 
Regards.
Jean-Claude


-- 
Salutations.
Jean-Claude

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

Re: TLS/SSL problem - unsupported certificate purpose