Category: X.509 certificate usage or issue
The required extendedKeyUsage flags are missing from the supplied certificate.
This error is reported by fmos pki import-server-cert or fmos pki import-cpl-cert when the supplied certificate has a extendedKeyUsage extension, but the options set make the certificate unsuitable for use as the server certificate.
X.509v3 certificates can include an extension that indicates the intended use for the certificate. Certificates without this extension are considered usable for all purposes, while certificates with the extension can only be used for the explicitly stated purposes. Most clients, including subordinate FMOS machines, will refuse to communicate with a server that presents a certificate with a extendedKeyUsage extension that does not match their expectations.
In order for a certificate to be usable as the server or control panel certificate, it must have the following values in its extendedKeyUsage extension:
Alternatively, the certificate can omit the extendedKeyUsage extension, indicating that it is valid for all purposes.
If the supplied certificate has a extendedKeyUsage extension and it does not include all of the above values, it cannot be used as the server or control panel certificate.
To resolve this issue, the certificate will need to be replaced. Contact the certificate authority for instructions on how to obtain a certificate with the correct extendedKeyUsage values.