On Wed, Dec 11, 2013 at 9:58 AM, Karl <weeker at outlook.com> wrote: > If it only have digital signature flag, iOS client will complain error > like: "EKU not found", "CERTIFICATE_ERROR_VERIFY_KEYUSAGE_FAILED:The > certificate did not contain the required Key Usages", after added the > other flags, no more errors like these. So I guess iOS requires the "TLS Web Client Authentication" as well (the other flags you mentioned are really unrelated). That's interesting as the client isn't using the certificate for web authentication (but rather for VPN). Nevertheless, it's nice to know there are more implementations that enforce the certificate flags. regards, Nikos
