[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS/SSL problem - unsupported certificate purpose
Philip Guenther <guenther+ldapsoft@sendmail.com> wrote:
> > # openssl x509 -in LDAPserver-cert.pem -text -noout
> ...
> > Netscape Cert Type:
> > Object Signing
>
> The certificate has a "Netscape Cert Type" field, but that field doesn't
> include the "SSL Server" flag. Your certificate creation setup needs to
> be corrected and a new certificate created. To quote the "X509
> CERTIFICATE EXTENSIONS" part of the openssl(1) manpage:
>
> SSL Server
> The extended key usage extension must be absent or include the
> "web server authentication" and/or one of the SGC OIDs.
> keyUsage must be absent or it must have the digitalSignature
> set, the keyEncipherment set, or both bits set. Netscape
> certificate type must be absent or have the SSL server bit set.
>
> Philip Guenther
> Sendmail, Inc.
Thank you Philippe for the answer.
You was right.
That was the problem.
I corrected this point, renew my LDAP certifcate and there's no more error
message.
I had to test deeply now, but I am optimistic
I can't remember if i adjusted this parameter a year ago with my old Debian
sarge, but obviously I would had to.
Again, many thanks.
--
Regards.
Jean-Claude
--
Salutations.
Jean-Claude