javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication

I have service exposed on 2 way ssl port on my server. When a new client was tryign to consume the service we were seeing above error in our server log. We doubled checked, we had client cert in our server trust store. Also our client our server cert in their trust store. We enable ssl debug parameter  -Djavax.net.debug=all, to ssl handshake details.

In SSL handshake details, i saw following happens as part of handshake->

1.    Client hello.

2.    Server hello.

a.    Server send it identity cert.

b.    Challenges client to send its cert by issuing “CertificateRequest”. We see Client CA’s in this certificate request.

3.    Client provides the certificate chain.

4.    The server fails to validate that cert with following error

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication

Client certificate looks something like ..

chain [0] = [

[

Version: V3

Subject: CN=XXXX, OU=XXXXXXXXX, O=XXXX, C=US

.

.

.

.

.

[5]: ObjectId: 2.5.29.37 Criticality=false

ExtendedKeyUsages [

  serverAuth

]

So as you see Client cert is issue by the Extended key usage is only set to allow this for serverAuth. We had client change there certificate to include usage as clientAuth.

Following possible usage for cert from open SSL documentatin.

serverAuth             SSL/TLS Web Server Authentication.
 clientAuth             SSL/TLS Web Client Authentication.
 codeSigning            Code signing.
 emailProtection        E-mail Protection (S/MIME).
 timeStamping           Trusted Timestamping
 msCodeInd              Microsoft Individual Code Signing (authenticode)
 msCodeCom              Microsoft Commercial Code Signing (authenticode)
 msCTLSign              Microsoft Trust List Signing
 msSGC                  Microsoft Server Gated Crypto
 msEFS                  Microsoft Encrypted File System
 nsSGC                  Netscape Server Gated Crypto
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s