> On Jan 22, 2018, at 12:07 PM, Gladewitz, Robert via openssl-users <openssl-users@xxxxxxxxxxx> wrote: > > the problem is, that i cant change the cisco implementation :-(. YOU DO NOT need to change the Cisco implementation. > Cisco tell me, the capf implemtation is following all rfc documents. Nothing Cisco is telling you requires your issuing CA to have an extended key usage listing just "TLS Web Server Authentication". > If you are right, > i cant use any freeradius implementation, because there are based on > openssl. There is no option in freeradius, to ignore some think like this. Your problem is a misconfigured CA certificate. Make sure your *CA* certificate has no extended key usage specified, OR has *all* the key usages specified that are required by any leaf certificate it will issue. > For my understanding, CA certificate may have these exteded keys - it's just > something out of the ordinary. The extended key usages on the CA are interpreted to LIMIT the key usages of certificates it can issue. You can certainly use this extension, but then expect the CA to be invalid for key usages you did not list. > So, you mean, there is no chance to get this correct rfc interpretation > to openssl? "Correct" is in the eye of the beholder. The RFC5280 alternative to using the extended key usage (X.509 policy) is a complex mess. Many implementations do the sensible thing and overload the extended key usage instead. OpenSSL is among these and this is unlikely to change. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users