Thanks Dave for the response.
On Wed, May 15, 2013 at 11:29 PM, Dave Thompson <[email protected]>wrote: > >From: [email protected] On Behalf Of isshed > >Sent: Wednesday, 15 May, 2013 08:25 > > >I have a self-signed certificate installed on a server with > >the following extensions fields. > >Key Usage: Digital Signature, Key Encipherment (a0) > >Basic Constraints : Subject Type=End Entity, Path Length Constraint=None > >Enhanced Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1), > >Client Authentication (1.3.6.1.5.5.7.3.2) > > >Now when my client tries to make a TLS connection with this server. > >The client sends Client Hello and then the server responds with > >Server Hello(which has the above self-signed certificate). > > Nit: the server sends a series of records; the record that contains > the cert is not the ServerHello record. But the server does send > the configured cert, which is the important point. > >>>ISSHED>> Yes I agree that the server is sending series of records(certificate is one of them). This is not important for me. for me Important point is what should be the key usage content. > > >I installed this self-signed certificate with on my client. > >My client is not able to verify the certificate and is terminating > >the TLS connection with Alert message(Unknown CA). > >My client is using openssl version "OpenSSL 1.0.1e". > > As explained in "Self-signed certificates and keyUsage extension" > recently (5/10-11) OpenSSL validation requires that an "issuing" > cert have keyusage including CertSign (or omitted = all usage) -- > and that includes a self-issued aka self-signed cert. > > >>>ISSHED>> So you mean to say that the Self-signed Root Certificate > should either does not contain this "Key Usage Extension" or if it contains > it should have keyCertSign field set. then only the public key will be > used to verify the certificate? Am i correct ? Thanks > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [email protected] > Automated List Manager [email protected] >
