> On Jan 20, 2018, at 6:42 AM, Gladewitz, Robert via openssl-users <openssl-users@xxxxxxxxxxx> wrote:
>
> Hello Vikor,
>
> hmm, we have only a self signed root ca and the CAPF ist directly minor. And the extended key usage is mandodary by cisco.
>
> You mean, the only solution are, the the root ca also have the same extendedKeyUsage?
The intermediate CA you posted:
Subject: C = DE, ST = Sachsen, L = Leipzig, O = DBFZ Deutsches Biomasseforschungszentrum gGmbH, OU = IT, CN = CAPF-91d43ef6
has extensions:
X509v3 extensions:
X509v3 Subject Key Identifier: ...
X509v3 Authority Key Identifier: ...
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Extended Key Usage: critical
TLS Web Server Authentication
The last of these limits the CA to just "TLS Web Server Authentication".
The leaf certificate has:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System
which works if you're authenticating it as a "TLS server" (the "Web" part
is irrelevant), but fails when used for a "TLS client" or "IPSec End System",
because those purposes are not included in the issuing CA certificate.
Presumably the problem in this case is that this CA is being used to
validate a "TLS client" certificate. You'll need an intermediate CA
that either has no "X509v3 Extended Key Usage" or has one that includes
both "TLS Web Server Authentication" and "TLS Web Client Authentication".
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
