Client certificate fails with "unsupported certificate purpose" from iPad, works in desktop browsers
nrahl
nginx-forum at forum.nginx.org
Wed Feb 15 21:58:27 UTC 2017
We have client certificates set up and working for desktop browsers, but
when using the same certificates that work on the desktop browser from an
iPad, we get a "400: The SSL certificate error" in the browser, and the
following in the log:
"18205#18205: *11 client SSL certificate verify error: (26:unsupported
certificate purpose) while reading client request headers, client"
"openssl x509 -purpose" for the cert used to create the pkcs12 file is:
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
Which appears to be the correct purpose, and it does work in regular
browsers. We have a CA, and intermediate CA to sign the client certs and
then the client cert itself.
The command used to create the pkcs file is:
openssl pkcs12 -export -out file.pk12 -inkey file.key -in file.crt -certfile
ca.comb -nodes -passout pass:mypassword
Where ca.comb is the file specified in the ssl_client_certificate directive,
which contains the public certificates for the CA, and the intermediary CA.
Since this works fine on desktop browsers, I'm not sure what to check. How
can I figure out what is going wrong?
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272444,272444#msg-272444
More information about the nginx
mailing list