[Mod_nss-list] SL Library Error: -8101 Certificate type not approved for application
Rob Crittenden
rcritten at redhat.com
Fri May 26 15:06:58 UTC 2017
Jamie Johnson wrote:
> I am trying to track down what the meaning of this error is. After a
> bit of googling I understand that the certificate the client is using to
> talk to the server has an issue, but I can't figure out if it's an issue
> with the chain or if it's an issue with the certificate itself. The
> client certificate has the ExtendedKeyUsages serverAuth and KeyUsage
> DigitalSignature and Key_Encipherment, the chain has an intermediate
> with KeyUsage DigitalSignature, Key_CertSign, Crl_Sign and a root CA
> with KeyUsage DigitalSignature, Key_CertSign, Crl_Sign. I can't find
> any more online as to what might be causing this and am a bit stumped at
> this point, is there any direction that can be provided to help track
> this down?
I need more context. I assume the server is working ok, but when you
attempt to authenticate using a client cert it fails with the -8101 error?
This is likely an issue with the client cert itself. Can you provide the
output of openssl x509 -text -in (cut out the issuer/subject/keys if
you'd like).
rob
More information about the Mod_nss-list
mailing list