Client certificate fails with "unsupported certificate purpose" from iPad, works in desktop browsers

nrahl nginx-forum at
Wed Feb 15 21:58:27 UTC 2017

We have client certificates set up and working for desktop browsers, but
when using the same certificates that work on the desktop browser from an
iPad, we get a "400: The SSL certificate error" in the browser, and the
following in the log:

"18205#18205: *11 client SSL certificate verify error: (26:unsupported
certificate purpose) while reading client request headers, client"

"openssl x509 -purpose" for the cert used to create the pkcs12 file is:

Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

Which appears to be the correct purpose, and it does work in regular
browsers. We have a CA, and intermediate CA to sign the client certs and
then the client cert itself.

The command used to create the pkcs file is:

openssl pkcs12 -export -out file.pk12 -inkey file.key -in file.crt -certfile
ca.comb -nodes -passout pass:mypassword

Where ca.comb is the file specified in the ssl_client_certificate directive,
which contains the public certificates for the CA, and the intermediary CA.

Since this works fine on desktop browsers, I'm not sure what to check. How
can I figure out what is going wrong?

Posted at Nginx Forum:,272444,272444#msg-272444

More information about the nginx mailing list