Forum Discussion
NimbostratusCheck certificate Authority - SSL Profile
Hello,
I try to verify the certificate Authority when the client connect on my Virtual Server.
The problem if when the user connect to the application the F5 refuse the connexion .
I have this log :
Jan 4 16:50:14 bigip warning tmm2[16669]: 01260006:4: Peer cert verify error: unsupported certificate purpose (depth 0; cert /CN=*********)
Jan 4 16:50:14 bigip warning tmm2[16669]: 01260009:4: Connection error: ssl_shim_vfycerterr:4530: unsupported certificate purpose (46)
Have you any idea of what is the problem ?
Thanks a lot.
5 Replies
- Kevin_Stewart
Employee
Is this for client cert (mutual) authentication?
- Kevin_Stewart
Okay, so in the client SSL profile, under Client Authentication, do you have it set to "Request" or "Require"? Does the client pass a certificate to the VIP? You normally see this error if a client cert is badly derived. Otherwise, and oddly, it's saying its own certificate is incorrect.
- Kevin_Stewart
Okay, so just to be clear, this IS mutual authentication, and you ARE requesting a client certificate.
The unsupported certificate purpose (46) error is not usually related to ciphers. You may have some odd extension or value in the client certificate that the F5 cannot accept.
Can you show the contents of that certificate here?
- Kevin_Stewart
Completely understood. However, the error indicates that there's something incorrect about the client certificate, which is most likely defined in the keyUsage or enhancedKeyUsage extension of that certificate.
- Kevin_Stewart
I'm not in front of my lab to test, but willing to bet that ServerAuthentication is not an allowed EKU for client cert authentication.
