[Help-gnutls] Key usage violation in certificate

Nikos Mavrogiannopoulos nmav at gnutls.org
Tue Nov 4 07:25:50 CET 2008


Kevin P. Fleming wrote:
> Nikos Mavrogiannopoulos wrote:
> 
>> It seems gnutls fails because the (client) certificate it uses for
>> authentication it doesn't support signing (and TLS client certificates
>> must support it).
>>
>> Check (with certtool -i) if the client certificate contains the
>> following lines:
>>
>> 	Key Usage (critical):
>> 		Digital signature.
> 
> Yes, I used openssl's pkcs12 command to extract the cert from the .p12
> file that it lives in, then used 'certtool -i --infile cert.pem', and
> this is the output:

Could it be then that libneon selected a wrong certificate from the
pkcs12 file? Does it use gnutls_certificate_set_x509_simple_pkcs12_file()?

I quick glimpsed gnutls_certificate_set_x509_simple_pkcs12_file() and
looks very simple thus might add the first certificate no matter if it
corresponds to the key. In that case it is a gnutls bug and will be
fixed. (workaround: use a single certificate in the pkcs12 file).

regards,
Nikos






More information about the Gnutls-help mailing list