Forum Discussion
Nimbostratussession.ssl.cert.valid 26
Hi
I am trying to use a on-demand Cert Auth as part of a APM request. However this is unsuccessful with the Logs stating that session.ssl.cert.valid = 26.
From what I can make out this means 'unsupported certificate purpose'.
The certificate that I am using has extended key usage set to:
X509v3 Extended Key Usage: TLS Web Client Authentication 1.3.6.1.4.1.311.21.10: 0.0
Which I believe to be correct... anyone got any ideas?
Cheers David
3 Replies
- Kevin_Stewart
Employee
I believe "1.3.6.1.5.5.7.3.2" is the proper OID for TLS web client authentication.
- Kevin_Stewart
So just to be clear, your client cert is using the correct EKU OID (1.3.6.1.5.5.7.3.2)? Are there any over KU and EKU attributes defined? Is it an RSA-signed cert?
- Kevin_Stewart
So just to follow up, the issue I believe is an incorrect KU option. At a minimum a client certificate used for authentication must have ClientAuth (1.3.6.1.5.5.7.3.2) in its EKU, and must have digitalSignature in its KU. I'm surprised that a browser is even letting you choose a cert with keyEncipherment only. If you think about it, mutual PKI authentication requires that the client first send its certificate, and then follow that with a CertificateVerify message, which is a digitally signed hash. If the client's certificate isn't capable of digital signature, by virtue of its keyUsage property, then it cannot use it for authentication.
