Classification: FMOS
Category: X.509 certificate usage or issue
Severity: Error
Summary
The required extendedKeyUsage flags are missing from the supplied certificate.
Description
This error is reported by fmos pki import-server-cert or fmos pki import-cpl-cert when the supplied certificate has a extendedKeyUsage extension, but the options set make the certificate unsuitable for use as the server certificate.
Impact
X.509v3 certificates can include an extension that indicates the intended use for the certificate. Certificates without this extension are considered usable for all purposes, while certificates with the extension can only be used for the explicitly stated purposes. Most clients, including subordinate FMOS machines, will refuse to communicate with a server that presents a certificate with a extendedKeyUsage extension that does not match their expectations.
Cause
In order for a certificate to be usable as the server or control panel certificate, it must have the following values in its extendedKeyUsage extension:
-
serverAuth
Alternatively, the certificate can omit the extendedKeyUsage extension, indicating that it is valid for all purposes.
If the supplied certificate has a extendedKeyUsage extension and it does not include all of the above values, it cannot be used as the server or control panel certificate.
Resolution
To resolve this issue, the certificate will need to be replaced. Contact the certificate authority for instructions on how to obtain a certificate with the correct extendedKeyUsage values.
Comments
0 comments
Article is closed for comments.