Re: [Mod_nss-list] SL Library Error: -8101 Certificate type not approved for application

Fri, 26 May 2017 08:17:32 -0700 

Thanks for the reply Rob.  Here is the requested information, let me know
if I cut too much

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4098 (0x1002)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: --cut--
        Validity
            Not Before: May 25 20:52:11 2017 GMT
            Not After : Jun  4 20:52:11 2018 GMT
        Subject: --cut--
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
--cut--
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier:
                --cut--
            X509v3 Authority Key Identifier:
                --cut--

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
    Signature Algorithm: sha256WithRSAEncryption
--cut--
-----BEGIN CERTIFICATE-----
--cut--
-----END CERTIFICATE-----

On Fri, May 26, 2017 at 11:07 AM Rob Crittenden <[email protected]> wrote:

> Jamie Johnson wrote:
> > I am trying to track down what the meaning of this error is.  After a
> > bit of googling I understand that the certificate the client is using to
> > talk to the server has an issue, but I can't figure out if it's an issue
> > with the chain or if it's an issue with the certificate itself.  The
> > client certificate has the ExtendedKeyUsages serverAuth and KeyUsage
> > DigitalSignature and Key_Encipherment, the chain has an intermediate
> > with KeyUsage DigitalSignature, Key_CertSign, Crl_Sign and a root CA
> > with KeyUsage DigitalSignature, Key_CertSign, Crl_Sign.  I can't find
> > any more online as to what might be causing this and am a bit stumped at
> > this point, is there any direction that can be provided to help track
> > this down?
>
> I need more context. I assume the server is working ok, but when you
> attempt to authenticate using a client cert it fails with the -8101 error?
>
> This is likely an issue with the client cert itself. Can you provide the
> output of openssl x509 -text -in (cut out the issuer/subject/keys if
> you'd like).
>
> rob
>

_______________________________________________
Mod_nss-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/mod_nss-list

Reply via email to