RE: exception when using Self Signed Certificate

Thu, 04 Oct 2012 15:02:21 -0700 

>From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar
>Sent: Thursday, 04 October, 2012 14:31

>I have a self signed certificate created and i have loaded that 
>into a trust store of the client. I have also configured the Server 
>with that self signed certificate. So when i try to establish 
>connection i get the  exception in following code

>v3_purp.c
<snip>
>    else if(ku_reject(issuer, KU_KEY_CERT_SIGN))
>        return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;   //Exception thrown here

Aside: C doesn't "throw" exceptions as some other languages do 
(including C++). This is really "returned", or at most "raised".
But that doesn't affect your point.

>Any inputs why client is throwing X509_V_ERR_KEYUSAGE_NO_CERTSIGN
exception?

Because the cert has a KeyUsage extension that excludes certSign. 
OpenSSL requires issuer certs to have certSign -- and treats a 
selfsigned cert as issuing itself, which is somewhat debatable.

>Here my server is Microsoft SQL Server , Client uses openssl. Also this 
>issue occurs only when i create a self signed certificate using IIS
server!!!

You create with IIS but use in SQLserver? On the (one) IIS-manager 
I have access to (but don't normally use) "create self-signed cert..." 
creates KU keyEncrypt,dataEncrypt and EKU serverAuth -- which 
violates RFC 5280 as I read it but hey that's Microsoft for you. 
(And per RFC 5246 it allows only plain RSA not DHE-RSA or ECDHE-RSA, 
but plain RSA is widely supported, probably widest.)

Options:

- create (or get created) a key + selfsigned cert with KU having 
certSign in addition to keyEncrypt (and preferably digSign), 
or KU omitted (then relier must default to allow-all-usage).
This is easy to do with openssl 'req -new -x509'.

- use a CA-issued cert, where the CA's root and issued certs have 
desired or omitted KU. A real CA already does this, and one you 
create with openssl ('ca' or just 'x509 -req') easily can.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to