On 01-10-26 08:54:44 CEST, Nelson B. Bolyard wrote:
> Error -8101 is SEC_ERROR_INADEQUATE_CERT_TYPE which is translated
> Certificate type not approved for application. That is, the application
> needs an SSL server cert, and this one isn't setup that way.
>
> In this case, the server's own cert lacks an extension that says it can be
> used for SSL/TLS server authentication. The problem is not in a CA cert
> but rather is in the server's own cert.
>
> Your server cert should contain an "extended Key Usage" extension that
> identifies it as being valid for server authentication. It should look
> like this:
[...]
> The rule is that IF a server cert contains an extended Key Usage extension,
> then it MUST include the extended usage for server authentication.
>
> Your server's cert has an Extended Key Usage extension, but it doesn't
> contain this value. It contains some other usages that will not work you.
this isn't the whole story, is it?
mozilla connects to an https-site where the server certificate contains
these extensions (openssl output):
X509v3 extensions:
Netscape Cert Type:
SSL Server
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
Netscape Server Gated Crypto, Microsoft Server Gated Crypto
the extended key usage has got the same insufficient value!
but in this case, there is a netscape cert type.
does it shadow the X509 extended key usage?
anyhow, i've gotten myself a new certificate for my server with...
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
i.e. the "server gated cryto" garbage has been dumped and the RFC2459
extension has been added, and now mozilla accepts it!
thank you!
> 2. The server does not send out the proper cert "chain" to the client.
>
> It sends the server's own cert, but it does not send the CA cert for the
> CA that issued the server's cert. It is not necessary to send the issuer
> CA cert when the issuer CA cert is a root CA cert. But in your case,
> you have an "intermediate" CA, one whose cert was issued by another root CA,
> and which issued the server cert. The intermediate CA cert(s) must also be
> sent to the client in the same certificate message that sends the server's
> own cert.
the two CA certs have always been in the chain but perhaps in the wrong
order or starting with the plaintext openssl likes put in front of the
base64 stuff.
i haven't got access to me.in-berlin.de (so i can't look at the chain)
but with my own server it works with only the root CA cert in the browser.
and the CA's server has been fixed, too.
thanks again, also in the name of the CA of IN-Berlin (a non-profit
ISP).
rj
