Correct x509 Extentions for an SSLserver certificate

Question

I have a task to sign a SSLserver certificate request with my CA server.

I have created the certificate request via the SSLservers private key. I have then proceeded to sign this request with the existing CA servers certificate. However, when submitting the generated SSLserver certificate I receive an error informing me that the SSLserver certifcate has the incorrect x509 extensions, (See below for the ones in the certificate).

X509v3 extensions:
        X509v3 Basic Constraints: 
            CA:FALSE
        X509v3 Key Usage: critical
            Key Encipherment
        X509v3 Extended Key Usage: critical
            TLS Web Server Authentication
        X509v3 Subject Key Identifier: 
            F4:3C:05:E9:99:5F:AF:2C:9C:14:25:4E:A4:65:27:49:21:96:52:79
        X509v3 Authority Key Identifier: 
            keyid:06:D6:E7:09:5D:2A:FD:91:1F:55:3B:EA:8B:90:E8:B7:38:A1:DF:46

My question is what extentions should an SSLserver certifcate have?

Thank You.

score 1 · Answer 1 · edited Mar 17 '17 at 10:45

1

You're missing Basic Key Usage: Digital Signature

Also marking Extended Key Usage as critical may lead to incompatibilities.

See https://security.stackexchange.com/q/24106/3306 for details.

edited Mar 17 '17 at 10:45

Community

1
1

answered Sep 06 '13 at 13:45

Hubert Kario

21,314
3
24
44

Correct x509 Extentions for an SSLserver certificate

1 Answers1