Forum Discussion
Xavier_Gillmann
Nimbostratus
NimbostratusCerts chains and authenticate depth...
Hi everybody,
I'm currently encountering problems with (client) certificate validation: when the client registers all certificate chain in its browser, this one (at least IE) submits all the...
Steve_Brockman_Nimbostratus
NimbostratusFyi, I just ran into this problem today (unsupported certificate purpose) and thought I would post my solution. Maybe it will help someone else in the future!
It appears that our client certificates were requested as "Server Authentication Certificates" which cannot be used to present from a client to the F5 (during our 2-way SSL connection)
Once I re-requested the certificates properly this error went away!
Matt_Duguid_589Thanks very much your post did help us 7 years down the track :) We are testing a solution where we automatically deploy client authentication certificates to iOS/Andriod devices via Microsoft Intune/NDES, these are presented from "F5 Edge Client 2.0.4 (7060.2014.1006.1)" to "F5 Appliance 11.4" to connect via VPN. We were failing with the following in the SSL debug logs of the F5 Appliance, ------------------------- May 20 13:20:40 DEVICEX debug tmm[17839]: 01260006:7: Peer cert verify error: unsupported certificate purpose (depth 0; cert /CN=USERX) May 20 13:20:40 DEVICEX debug tmm[17839]: 01260009:7: Connection error: ssl_shim_vfycerterr:2912: unsupported certificate purpose (42) ------------------------- On the ADCS certificate template the "intended purpose" of "server authentication" had been enabled in addition to "client authentication". As soon as we removed the "server authentication" and reissued the certificates our issue went away as well and access worked. MD
