Re: Help with invalid certificate problem
Vivek
not with FF/ Mozilla/NSS
"Could not establish an encrypted connection because certificate
presented by is invalid or corrupted. Error code: -8102"
Could any one please tell me how to set the server extension to include
"Key encipherment" for "key usage",.. Currently it has only digital
signature as its value.
While creating the server cert I could not see any option to inclue
such an option also.
We set up the CA using Entrust and I am using IIS 6.0 for the
web-server,..
Please help, I am a newbie with CA / SSL security,.
Regards,
- Vivek
Simon Coffey wrote:
> I am looking into a problem that occurs with SSL certificates, when
> using Mozilla based browsers (actually, anything other than IE I think)
> and an SSL reverse proxy that is part of a firewall I support.
> Mozilla rejects the certificate offered as "invalid or corrupt".
> Full error: Could not establish an encrypted connection because
> certificate presented by <server> is invalid or corrupted. Error code:
> -8102.
> The firewall supplier doesnt seem to be that bothered about fixing this.
> I thought I'd see if I couldnt identify exactly what is the problem
> and point this out to the supplier, perhaps then they might fix it.
> So, I don't know that much about SSL certs. I was wondering whether
> anyone could take a look at the packet trace attached and suggest why
> Mozilla rejects the cert?
I surely wish that Mozilla's security error messages would all display
a readable and meaningful error message instead of a number.
I didn't look at your packet trace, but I believe error -8102
SEC_ERROR_INADEQUATE_KEY_USAGE means that either the SSL server cert
itself
or one of the issuing certificate authority (CA) certs in the "cert
chain"
for that server certificate has a "usage extension" that limits the
purposes
for which the cert can be used, and the allowed set of purposes (or
"usages")
doesn't include the purpose necessary to be an SSL server, or a CA for
an SSL
server (if it was a CA cert).
For an SSL server, the cert needs to be allowed "key encipherment"
usage
(asuming the public key is an RSA public key). For a CA for an SSL
server,
the cert needs to be allowed "certificate signing" usage. The
certificate
authority that issued the certificate controls those extensions, I
believe,
and if that party says that the cert isn't good for a certain purpose,
Mozilla honors that. Honoring certificate extensions is what PKI
security
software that handles certificates is expected to do, if I'm not
mistaken.
Perhaps not all browsers do that though. :)
