[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS/SSL problem - unsupported certificate purpose



Philip Guenther <guenther+ldapsoft@sendmail.com> wrote:

> > # openssl x509 -in LDAPserver-cert.pem -text -noout
> ...
> >            Netscape Cert Type:
> >                Object Signing
> 
> The certificate has a "Netscape Cert Type" field, but that field doesn't 
> include the "SSL Server" flag.  Your certificate creation setup needs to 
> be corrected and a new certificate created.  To quote the "X509 
> CERTIFICATE EXTENSIONS" part of the openssl(1) manpage:
> 
>       SSL Server
>             The extended key usage extension must be absent or include the
>  	   "web server authentication" and/or one of the SGC OIDs.
>             keyUsage must be absent or it must have the digitalSignature
>             set, the keyEncipherment set, or both bits set.  Netscape
>             certificate type must be absent or have the SSL server bit set.
> 
> Philip Guenther
> Sendmail, Inc.

Thank you Philippe for the answer.

You was right.
That was the problem.
I corrected this point, renew my LDAP certifcate and there's no more error
message.
I had to test deeply now, but I am optimistic

I can't remember if i adjusted this parameter a year ago with my old Debian
sarge, but obviously I would had to.

Again, many thanks.
-- 
Regards.
Jean-Claude



-- 
Salutations.
Jean-Claude