From jej2003 at gmail.com Thu May 25 19:56:51 2017 From: jej2003 at gmail.com (Jamie Johnson) Date: Thu, 25 May 2017 15:56:51 -0400 Subject: [Mod_nss-list] SL Library Error: -8101 Certificate type not approved for application Message-ID: I am trying to track down what the meaning of this error is. After a bit of googling I understand that the certificate the client is using to talk to the server has an issue, but I can't figure out if it's an issue with the chain or if it's an issue with the certificate itself. The client certificate has the ExtendedKeyUsages serverAuth and KeyUsage DigitalSignature and Key_Encipherment, the chain has an intermediate with KeyUsage DigitalSignature, Key_CertSign, Crl_Sign and a root CA with KeyUsage DigitalSignature, Key_CertSign, Crl_Sign. I can't find any more online as to what might be causing this and am a bit stumped at this point, is there any direction that can be provided to help track this down? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri May 26 15:06:58 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 26 May 2017 11:06:58 -0400 Subject: [Mod_nss-list] SL Library Error: -8101 Certificate type not approved for application In-Reply-To: References: Message-ID: <8fc77aba-a032-37c9-7bbc-d862528da092@redhat.com> Jamie Johnson wrote: > I am trying to track down what the meaning of this error is. After a > bit of googling I understand that the certificate the client is using to > talk to the server has an issue, but I can't figure out if it's an issue > with the chain or if it's an issue with the certificate itself. The > client certificate has the ExtendedKeyUsages serverAuth and KeyUsage > DigitalSignature and Key_Encipherment, the chain has an intermediate > with KeyUsage DigitalSignature, Key_CertSign, Crl_Sign and a root CA > with KeyUsage DigitalSignature, Key_CertSign, Crl_Sign. I can't find > any more online as to what might be causing this and am a bit stumped at > this point, is there any direction that can be provided to help track > this down? I need more context. I assume the server is working ok, but when you attempt to authenticate using a client cert it fails with the -8101 error? This is likely an issue with the client cert itself. Can you provide the output of openssl x509 -text -in (cut out the issuer/subject/keys if you'd like). rob From jej2003 at gmail.com Fri May 26 15:16:59 2017 From: jej2003 at gmail.com (Jamie Johnson) Date: Fri, 26 May 2017 15:16:59 +0000 Subject: [Mod_nss-list] SL Library Error: -8101 Certificate type not approved for application In-Reply-To: <8fc77aba-a032-37c9-7bbc-d862528da092@redhat.com> References: <8fc77aba-a032-37c9-7bbc-d862528da092@redhat.com> Message-ID: Thanks for the reply Rob. Here is the requested information, let me know if I cut too much Certificate: Data: Version: 3 (0x2) Serial Number: 4098 (0x1002) Signature Algorithm: sha256WithRSAEncryption Issuer: --cut-- Validity Not Before: May 25 20:52:11 2017 GMT Not After : Jun 4 20:52:11 2018 GMT Subject: --cut-- Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): --cut-- Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: --cut-- X509v3 Authority Key Identifier: --cut-- X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication Signature Algorithm: sha256WithRSAEncryption --cut-- -----BEGIN CERTIFICATE----- --cut-- -----END CERTIFICATE----- On Fri, May 26, 2017 at 11:07 AM Rob Crittenden wrote: > Jamie Johnson wrote: > > I am trying to track down what the meaning of this error is. After a > > bit of googling I understand that the certificate the client is using to > > talk to the server has an issue, but I can't figure out if it's an issue > > with the chain or if it's an issue with the certificate itself. The > > client certificate has the ExtendedKeyUsages serverAuth and KeyUsage > > DigitalSignature and Key_Encipherment, the chain has an intermediate > > with KeyUsage DigitalSignature, Key_CertSign, Crl_Sign and a root CA > > with KeyUsage DigitalSignature, Key_CertSign, Crl_Sign. I can't find > > any more online as to what might be causing this and am a bit stumped at > > this point, is there any direction that can be provided to help track > > this down? > > I need more context. I assume the server is working ok, but when you > attempt to authenticate using a client cert it fails with the -8101 error? > > This is likely an issue with the client cert itself. Can you provide the > output of openssl x509 -text -in (cut out the issuer/subject/keys if > you'd like). > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri May 26 15:28:56 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 26 May 2017 11:28:56 -0400 Subject: [Mod_nss-list] SL Library Error: -8101 Certificate type not approved for application In-Reply-To: References: <8fc77aba-a032-37c9-7bbc-d862528da092@redhat.com> Message-ID: Jamie Johnson wrote: > Thanks for the reply Rob. Here is the requested information, let me > know if I cut too much > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 4098 (0x1002) > Signature Algorithm: sha256WithRSAEncryption > Issuer: --cut-- > Validity > Not Before: May 25 20:52:11 2017 GMT > Not After : Jun 4 20:52:11 2018 GMT > Subject: --cut-- > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (2048 bit) > Modulus (2048 bit): > --cut-- > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > Netscape Cert Type: > SSL Server > Netscape Comment: > OpenSSL Generated Server Certificate > X509v3 Subject Key Identifier: > --cut-- > X509v3 Authority Key Identifier: > --cut-- > > X509v3 Key Usage: critical > Digital Signature, Key Encipherment > X509v3 Extended Key Usage: > TLS Web Server Authentication > Signature Algorithm: sha256WithRSAEncryption > --cut-- > -----BEGIN CERTIFICATE----- > --cut-- > -----END CERTIFICATE----- Is this the cert you are trying to use to authenticate with? If so it needs the TLS Web client authentication extension. rob From jej2003 at gmail.com Fri May 26 16:18:44 2017 From: jej2003 at gmail.com (Jamie Johnson) Date: Fri, 26 May 2017 16:18:44 +0000 Subject: [Mod_nss-list] SL Library Error: -8101 Certificate type not approved for application In-Reply-To: References: <8fc77aba-a032-37c9-7bbc-d862528da092@redhat.com> Message-ID: Ah! That's it, thanks Rob, appreciate it! On Fri, May 26, 2017 at 11:28 AM Rob Crittenden wrote: > Jamie Johnson wrote: > > Thanks for the reply Rob. Here is the requested information, let me > > know if I cut too much > > > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 4098 (0x1002) > > Signature Algorithm: sha256WithRSAEncryption > > Issuer: --cut-- > > Validity > > Not Before: May 25 20:52:11 2017 GMT > > Not After : Jun 4 20:52:11 2018 GMT > > Subject: --cut-- > > Subject Public Key Info: > > Public Key Algorithm: rsaEncryption > > RSA Public Key: (2048 bit) > > Modulus (2048 bit): > > --cut-- > > Exponent: 65537 (0x10001) > > X509v3 extensions: > > X509v3 Basic Constraints: > > CA:FALSE > > Netscape Cert Type: > > SSL Server > > Netscape Comment: > > OpenSSL Generated Server Certificate > > X509v3 Subject Key Identifier: > > --cut-- > > X509v3 Authority Key Identifier: > > --cut-- > > > > X509v3 Key Usage: critical > > Digital Signature, Key Encipherment > > X509v3 Extended Key Usage: > > TLS Web Server Authentication > > Signature Algorithm: sha256WithRSAEncryption > > --cut-- > > -----BEGIN CERTIFICATE----- > > --cut-- > > -----END CERTIFICATE----- > > Is this the cert you are trying to use to authenticate with? If so it > needs the TLS Web client authentication extension. > > rob > > -------------- next part -------------- An HTML attachment was scrubbed... URL: