Certificate key usage inadequate for attempted operation

3,741 views
Skip to first unread message

Keshava Bharadwaj

unread,
Nov 16, 2017, 2:07:31 AM11/16/17
to Vault
Hi,

We are using certificates provided by a CA to run vault on TLS.
The provided CA is an intermediate CA.
Below are the outputs (Some are masked since they contain private information)

1. I've appended the server certificate provided by CA and the CA's root certificate itself into one certificate
and using it to run Vault.(as per recommendation - https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_cert_file )

Vault is running fine.

2. On the client node, I've added the CA's root certificate into the trust store.

root@7fc69133420d:/files# cp root.crt   /usr/local/share/ca-certificates/

root@7fc69133420d:/usr/local/share/ca-certificates# update-ca-certificates

Updating certificates in /etc/ssl/certs...

1 added, 0 removed; done.

Running hooks in /etc/ca-certificates/update.d...

done.

root@7fc69133420d:/usr/local/share/ca-certificates# awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep -i xxxx CA

subject=C = xx, ST = xx, L = xxxx, O = xxxxx Inc., OU = xxxxxx, CN = xxxx CA


3. Now, if i try to access vault, I'm getting following error

$ curl https://vault-xxxxx.com:8200/v1/sys/health
curl: (60) Certificate key usage inadequate for attempted operation.
More details here: http://curl.haxx.se/docs/sslcerts.html

$ openssl s_client -showcerts -connect vault-xxxxxx.com:8200 | more
depth= ------------------------------------------------------------
verify error:num=20:unable to get local issuer certificate


Can someone let know what the problem might me?


Thanks,
Keshava

Keshava Bharadwaj

unread,
Nov 20, 2017, 1:42:41 AM11/20/17
to Vault
Hi 

Can someone help here?

Thanks

David Adams

unread,
Nov 20, 2017, 5:42:14 AM11/20/17
to vault...@googlegroups.com
Sounds like the certificate issuer for the cert on Vault does not match the CA cert you installed.

Try running this command to see if the issuer of the cert you are getting from the server matches the root.crt you installed:

    $ : | openssl s_client -connect vault-xxxxxx.com:8200 2>/dev/null |openssl x509 -noout -issuer


--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/bcce42f5-1cef-4f62-a822-fee32b54db5f%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Keshava Bharadwaj

unread,
Nov 20, 2017, 8:59:20 AM11/20/17
to Vault
Hi David,

I had checked this and they do match -

$ openssl s_client -connect vault-xxxx.com:8200 2>/dev/null |openssl x509 -noout -issuer
issuer= /C=US/ST=California/L=xxxx/O=xxxx Inc./OU=Security/CN=xxxx

$ awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-bundle.trust.crt | grep -i xxxx

subject= /C=US/ST=California/L=xxxx/O=xxxx Inc./OU=Security/CN=xxxx

Thanks
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

Jeff Mitchell

unread,
Nov 30, 2017, 9:50:05 AM11/30/17
to Vault
Hi Keshava,

Can you print out the cert info? Something like:

openssl x509 -in server.crt -noout -text

If your certs are in DER format you'll probably need to add "-inform der" to the command.

Best,
Jeff

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
 To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/8ec99093-7851-4821-9fc1-096982513061%40googlegroups.com.

Keshava Bharadwaj

unread,
Nov 30, 2017, 10:09:37 PM11/30/17
to Vault
Hi Jeff,

Figured out the problem. It was the the server certificates we use to run vault did not have the required extensions.

They had only this -

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            X509v3 Key Usage: 

                Digital Signature


and hence curl was throwing error.

Thanks,
Keshava
Reply all
Reply to author
Forward
0 new messages