> On Jan 22, 2018, at 3:21 PM, Gladewitz, Robert via openssl-users <openssl-users@xxxxxxxxxxx> wrote: > > Sorry, I did not mean to upset you. I am not at all upset, just trying to be clear. > Somehow I seem to have misunderstood something. Yes. Your CA has an EKU extension. It should either not be present, or list *all* the purposes for which the CA will issue leaf certificates. If you're right (I don't think this is actually true) that the CA must have "TLS Web Server Authentication" in its EKU (why?), then it must also have at least "TLS Web Client Authentication", to allow the CA to be used to authenticate TLS clients. > The CAPF certificate is the CA certificate he goes for? > Cisco states that this certificate requires both CA and > the extended key "TLS Web Server Authentification"? I bet that only the leaf certificate needs "TLS Web Server Authentification", but if for some reason the CA certificate also needs "TLS Web Server Authentification" then you'll need to also include "TLS Web Client Authentification" (in the CA certificate). -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
