Validating certificate wrong key usage

gondolin · Post by **gondolin** » Thu Apr 26, 2012 8:09 am

I have my own PKI system to create certificates.

When using the openVPN scripts for creating certificates al works fine but with a certifcate from my PKI it goes wrong.
According to the error the certificate has a wrong Key usage but I don't see it.

Log on client side

Code: Select all

2012-04-26 09:23:16 us=702351 Incoming Ciphertext -> TLS
2012-04-26 09:23:16 us=703245 VERIFY OK: depth=2, C=BE, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=CA, emailAddress=admin@xxx.be
2012-04-26 09:23:16 us=705378 VERIFY OK: depth=1, C=BE, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=Applicatie_CA, emailAddress=admin@xxx.be, description=Applicatie CA
2012-04-26 09:23:16 us=707190 Validating certificate key usage
2012-04-26 09:23:16 us=707290 ++ Certificate has key usage  00b8, expects 00a0
2012-04-26 09:23:16 us=707378 ++ Certificate has key usage  00b8, expects 0088
2012-04-26 09:23:16 us=707465 VERIFY KU ERROR
2012-04-26 09:23:16 us=707587 SSL alert (write): fatal: certificate unknown
2012-04-26 09:23:16 us=707840 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2012-04-26 09:23:16 us=707957 TLS Error: TLS object -> incoming plaintext read error
2012-04-26 09:23:16 us=708045 TLS Error: TLS handshake failed

openVPN certificate

Code: Select all

X509v3 Basic Constraints: CA:FALSE 
X509v3 Subject Key Identifier: D4:D7:FA:67:D4:1F:E8:BA:21:06:78:CA:F5:B5:53:6C:40:B3:EF:FB X509v3 
Authority Key Identifier: keyid:83:62:CF:FB:8B:5E:D2:5D:C5:61:78:B2:F1:D2:A2:8B:A4:83:DA:15 DirName:/C=BE/ST=xxx/L=xxx/O=xxx/OU=xxx/CN=CA/emailAddress=admin@xxx.be serial:04 X509v3 
Key Usage: Digital Signature, Key Encipherment, Data Encipherment, Key Agreement X509v3 
Extended Key Usage: TLS Web Server Authentication

Client certificate

Code: Select all

X509v3 Basic Constraints critical: CA:FALSE 
X509v3 Subject Key Identifier: 93:EA:CE:BF:5B:ED:30:B2:6E:E2:D7:39:99:0B:31:09:C6:57:90:89 X509v3 
Authority Key Identifier: keyid:AB:E3:9A:9A:A6:0A:D6:61:08:1B:DC:74:54:11:9D:17:72:81:AB:26 DirName:/C=BE/ST=xxx/L=xxx/O=xxx/OU=xxxe/CN=CA/emailAddress=admin@xxx.be serial:02 X509v3 
Key Usage: Digital Signature, Key Agreement X509v3 
Extended Key Usage: TLS Web Client Authentication

Post by **janjust** » Thu Apr 26, 2012 9:54 am

try playing with

Code: Select all

--remote-cert-ku
--remote-cert-eku

to see if you can get right key usage; the default for 'remote-cert-tls' is that it expects 0x00A0 and/or 0x00BB but I forgot exactly *why* this is.

gondolin · Post by **gondolin** » Thu Apr 26, 2012 12:52 pm

Well no luck.

With --remote-cert-ku I have a segmentation fault on server side and
with --remote-cert-eku "TLS Web server Authentication"

I'm getting close to resolve my problem, I see in the logs:
++ Certificate has EKU(str) TLS Web Server Authentication, expects TLS Web server Authentication.

And indeed the certification has Server with a S and not s.
When changing the s to S i have segmentation faults on the openVPN server.

Serverside is openVPN 2.09 and the client Tunnelblick 3.3 with openvpn 2.3 ?

Post by **janjust** » Thu Apr 26, 2012 1:33 pm

segfault?!!? can you generate a bogus key for me using your pki setup and send it to me via private message or email?

gondolin · Post by **gondolin** » Fri Apr 27, 2012 7:38 am

To be sure I have upgraded my test server and now with the --remote-cert-eku option in the config files it's working without any problems.

Thanks

OpenVPN Support Forum

Validating certificate wrong key usage

Validating certificate wrong key usage

Re: Validating certificate wrong key usage

Re: Validating certificate wrong key usage

Re: Validating certificate wrong key usage

Re: Validating certificate wrong key usage - SOLVED