> Sent: Wednesday, September 29, 2021 at 11:18 AM > From: "Viktor Dukhovni" <[email protected]> > To: [email protected] > Subject: Re: Client certification verifications fails with not designated for > use as a CA certificate > [...] > > > Please don't just make stuff up, this helps noone. The reported > error logging was: > > Sep 29 07:16:02 centos8mx-dev postfix/submission/smtpd[17603]: \ > issuer=/C=US/ST=Pennsylvania/L=Philadelphia/O=LHProjects Information \ > Network/OU=LHProjects Certificate Authority/CN=LHP MX CA \ > V1/[email protected] > Sep 29 07:16:02 centos8mx-dev postfix/submission/smtpd[17603]: \ > unknown[192.168.103.201]: subject_CN=smtp.lhpmail.us, issuer=LHP MX > CA V1, \ > > fingerprint=87:0F:12:04:F3:A1:BD:3A:E1:38:33:3E:62:65:8E:B1:A6:4D:A5:60, \ > > pkey_fingerprint=00:AC:ED:99:56:33:22:A0:CA:75:9D:69:4B:C4:E5:2B:45:7C:1E:6D > Sep 29 07:16:02 centos8mx-dev postfix/submission/smtpd[17603]: > certificate \ > verification failed for unknown[192.168.103.201]: not designated for > use as a CA \ > certificate > > The last of these indicates that "LHP MX CA V1" lacks the proper > extensions to be an X.509v3 CA for issuing TLS client certificates. The > underlying error from OpenSSL is "X509_V_ERR_INVALID_PURPOSE". > > The CA's extended key usage almost certainly specifies only "serverAuth" > and not also "clientAuth", so it is rejected as a client cert issuer. >
I appreciate the pointer and will look into this and get back to you. Regards
