verify error:num=26:unsupported certificate purpose

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

verify error:num=26:unsupported certificate purpose

fandino
Hello,

  I get this error with openssl when I request a client
certificate verification.


# openssl s_server .....
.
.
verify error:num=26:unsupported certificate purpose
verify return:1
.
.

the purposes for the CA file are:

# openssl x509 -in fadesa-cacert.pem -noout -purpose
Certificate purposes:
SSL client : No
SSL client CA : Yes
SSL server : No
SSL server CA : Yes
Netscape SSL server : No
Netscape SSL server CA : Yes
S/MIME signing : No
S/MIME signing CA : Yes
S/MIME encryption : No
S/MIME encryption CA : Yes
CRL signing : Yes
CRL signing CA : Yes
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes

and for the certificates in both servers:

# openssl x509 -in server1-cert.pem -noout -purpose

and

# openssl x509 -in server2-cert.pem -noout -purpose
Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No

anyone knows what I am doing wrong here?

Thank you.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: verify error:num=26:unsupported certificate purpose [SOLVED]

fandino
fandino wrote:

> # openssl s_server .....
> .
> verify error:num=26:unsupported certificate purpose
> verify return:1
>
> and for the certificates in both servers:
>
> Certificate purposes:
> SSL client : No
> SSL client CA : No
> SSL server : Yes
> SSL server CA : No
> Netscape SSL server : Yes
> Netscape SSL server CA : No
> S/MIME signing : No
> S/MIME signing CA : No
> S/MIME encryption : No
> S/MIME encryption CA : No
> CRL signing : No
> CRL signing CA : No
> Any Purpose : Yes
> Any Purpose CA : Yes
> OCSP helper : Yes
> OCSP helper CA : No

I think I found the problem. The servers runs a directory software
and the certicates had the extended key usage settled to "SSL Server"
and this works perfectly with directory clients, but for directory
replication they needs the "SSL Client" extended key usage (one
directory act as client and another as server). So enabling both
usages did the trick.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]