The relevant usage information of the client cert are: | | subjectPublicKeyInfo | | | algorithm (rsaEncryption) | | | | Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption) | | | Padding: 0 | | | subjectPublicKey: ... | | extensions: 4 items | | | Extension (id-ce-cRLDistributionPoints) | | | | Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints) | | | | CRLDistPointsSyntax: 1 item | | | Extension (id-ce-basicConstraints) | | | | Extension Id: 2.5.29.19 (id-ce-basicConstraints) | | | | BasicConstraintsSyntax [0 length] | | | Extension (id-ce-keyUsage) | | | | Extension Id: 2.5.29.15 (id-ce-keyUsage) | | | | Padding: 5 | | | | KeyUsage: e0 (digitalSignature, contentCommitment, keyEncipherment) | | | | | 1... .... = digitalSignature: True | | | | | .1.. .... = contentCommitment: True | | | | | ..1. .... = keyEncipherment: True | | | | | ...0 .... = dataEncipherment: False | | | | | .... 0... = keyAgreement: False | | | | | .... .0.. = keyCertSign: False | | | | | .... ..0. = cRLSign: False | | | | | .... ...0 = encipherOnly: False | | | | | 0... .... = decipherOnly: False | | | Extension (id-ce-extKeyUsage) | | | | Extension Id: 2.5.29.37 (id-ce-extKeyUsage) | | | | KeyPurposeIDs: 1 item | | | | | KeyPurposeId: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth) | algorithmIdentifier (shaWithRSAEncryption)
I've also tested a key from startssl. Here it seems to work to submit the key. The relevant parts are | | | | | | subjectPublicKeyInfo | | | | | | | algorithm (rsaEncryption) | | | | | | | | Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption) | | | | | | | Padding: 0 | | | | | | | subjectPublicKey: ... | | | | | | extensions: 10 items | | | | | | | Extension (id-ce-basicConstraints) | | | | | | | | Extension Id: 2.5.29.19 (id-ce-basicConstraints) | | | | | | | | BasicConstraintsSyntax [0 length] | | | | | | | Extension (id-ce-keyUsage) | | | | | | | | Extension Id: 2.5.29.15 (id-ce-keyUsage) | | | | | | | | Padding: 4 | | | | | | | | KeyUsage: b0 (digitalSignature, keyEncipherment, dataEncipherment) | | | | | | | | | 1... .... = digitalSignature: True | | | | | | | | | .0.. .... = contentCommitment: False | | | | | | | | | ..1. .... = keyEncipherment: True | | | | | | | | | ...1 .... = dataEncipherment: True | | | | | | | | | .... 0... = keyAgreement: False | | | | | | | | | .... .0.. = keyCertSign: False | | | | | | | | | .... ..0. = cRLSign: False | | | | | | | | | .... ...0 = encipherOnly: False | | | | | | | | | 0... .... = decipherOnly: False | | | | | | | Extension (id-ce-extKeyUsage) | | | | | | | | Extension Id: 2.5.29.37 (id-ce-extKeyUsage) | | | | | | | | KeyPurposeIDs: 2 items | | | | | | | | | KeyPurposeId: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth) | | | | | | | | | KeyPurposeId: 1.3.6.1.5.5.7.3.4 (id-kp-emailProtection) | | | | | | | Extension (id-ce-subjectKeyIdentifier) | | | | | | | | Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier) | | | | | | | | SubjectKeyIdentifier: bb5a39bb699ba8db7a1732e4c31342d2eb43ec0b | | | | | | | Extension (id-ce-authorityKeyIdentifier) | | | | | | | | Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier) | | | | | | | | AuthorityKeyIdentifier | | | | | | | Extension (id-ce-subjectAltName) | | | | | | | | Extension Id: 2.5.29.17 (id-ce-subjectAltName) | | | | | | | | GeneralNames: 1 item | | | | | | | Extension (id-ce-certificatePolicies) | | | | | | | | Extension Id: 2.5.29.32 (id-ce-certificatePolicies) | | | | | | | | CertificatePoliciesSyntax: 1 item | | | | | | | Extension (id-ce-cRLDistributionPoints) | | | | | | | | Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints) | | | | | | | | CRLDistPointsSyntax: 1 item | | | | | | | Extension (id-pe-authorityInfoAccessSyntax) | | | | | | | | Extension Id: 1.3.6.1.5.5.7.1.1 (id-pe-authorityInfoAccessSyntax) | | | | | | | | AuthorityInfoAccessSyntax: 2 items | | | | | | | Extension (id-ce-issuerAltName) | | | | | | | | Extension Id: 2.5.29.18 (id-ce-issuerAltName) | | | | | | | | GeneralNames: 1 item | | | | | algorithmIdentifier (sha256WithRSAEncryption) | | | | | | Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption) | | | | | Padding: 0 What comes to my eyes are that startssl disables contentCommitment and enables dataEncipherment. They also have extra purposes: id-kp-emailProtection But these should not be relevant for client certificates when using HTTPS. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org