Hi Martin,
if I got this right, I should change in
I18N_OPENXPKI_PROFILE_TLS_SERVER.yaml the key_agreement parameter to 1 (it
was 0) . This way the resulting EC certificate will have the KU in it.
I did it:
openssl x509 -noout -text -in testec03.mysampleinc.inc.crt | grep -i
"usage" -a2
---
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Key Agreement
---
There it is now. But I have the same behavior as before.
On Tue, 6 Aug 2019 at 15:35, Martin Bartosch <[email protected]> wrote:
> Hi Jefferson,
>
> > 2 - NOT Working scenario: Requesting an EC certificate - But I don't see
> anything suspicious in the logs -
> > What I do:
> > tail -f /var/log/openxpki/*.log
> > Then I ask OpenXPKI to generate a ec certificate (testec01.crt)
> > Key Algorithm: Elliptic Curve - Key Encryption Method: AES 256bit -
> Curve name:
> > I18N_OPENXPKI_UI_KEY_CURVE_NAME_PRIME256V1
> >
> > Then simulated a web server with testec01.crt (this time another port to
> let the other one running):
> > openssl s_server -cert testec01.crt -key testec01.pem -www -accept 5443
>
> Your problem is that the EC server certificate does not contain the key
> usage keyAgreement required for a ECDH TLS key exchange.
> EC certificates cannot be used for encryption, hence the keyAgreement KU
> is required and the keyEncipherment key usage in the certificate is
> redundant/not usable.
> Memo to self: we should add the keyAgreement KU to the sample profiles.
>
> Cheers
>
> Martin
>
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
