Question on "unsupported certificate purpose" error when trying to read the certificate on the web server

Thejus Prabhu tprabhu1989 at gmail.com
Wed Jul 21 22:34:03 UTC 2021


Hi,
I am new to openssl and learning how to use it.

I am trying to read the self-signed SSL certificate created on a webserver.
I am using OpenSSL 1.1.1k on the client machine when I make a request
using:

openssl s_client -showcerts -connect 192.168.1.200:443

I end up with the following error "*unsupported certificate purpose" *from
the server.

CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 O = Verint, C = US, CN = 192.168.1.200, L = Columbia, OU = Verint
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Verint, C = US, CN = 192.168.1.200, L = Columbia, OU = Verint
verify error:num=26:unsupported certificate purpose
verify return:1
depth=0 O = Verint, C = US, CN = 192.168.1.200, L = Columbia, OU = Verint
verify return:1
---
Certificate chain
 0 s:O = Verint, C = US, CN = 192.168.1.200, L = Columbia, OU = Verint
   i:O = Verint, C = US, CN = 192.168.1.200, L = Columbia, OU = Verint
-----BEGIN CERTIFICATE-----
MIIDrjCCApagAwIBAgIBATANBgkqhkiG9w0BAQUFADBaMQ8wDQYDVQQKDAZWZXJp
bnQxCzAJBgNVBAYTAlVTMRYwFAYDVQQDDA0xOTIuMTY4LjEuMjAwMREwDwYDVQQH
DAhDb2x1bWJpYTEPMA0GA1UECwwGVmVyaW50MB4XDTIxMDcyMTIwNTExMloXDTIy
MDcyMTIwNTExMlowWjEPMA0GA1UECgwGVmVyaW50MQswCQYDVQQGEwJVUzEWMBQG
A1UEAwwNMTkyLjE2OC4xLjIwMDERMA8GA1UEBwwIQ29sdW1iaWExDzANBgNVBAsM
BlZlcmludDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALjovQgQ5Nkt
d1IzjBUwz4mg1L2VhRW6VDeNWxfkTT+j+wwI7n4w612T/dvzUYVgkWYE4bJV/VrP
wXw6O0wwr2e4LyF8QqSGjtOo6rKOIvO3CJDsj3ogGq5ERYzbLO4g2VZ6i7nQuQtb
rHvg9FMptAbLXv3Ph7ddn7vncTMn+LQB1Xh1Xpnh3H1bEngS1jgH9XM8jpti1q4w
9Y8xfkKBLRC0aiwzfEjblZyvqcqLksKTk1l6oKZC3XLouCHYdQV6j0cZyj2uiabT
h/wqAsRJWCgF1dKp/PUGQB41OC4z8zHyyagWbrkKQpVu3h/3Pi3INGQAd9TPXD0o
eM5gveWQCakCAwEAAaN/MH0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
AQYwHQYDVR0OBBYEFKL/lWLHhbwa/tUL+PeosbS/KYt9MBEGCWCGSAGG+EIBAQQE
AwICBDAoBglghkgBhvhCAQ0EGxYZZXhhbXBsZSBjb21tZW50IGV4dGVuc2lvbjAN
BgkqhkiG9w0BAQUFAAOCAQEAc/RhHPG308TirrHqHj+ya7zzhYChDagGflq9K/4T
zk2ATcg9SpX57pwZHWu0V3ly2QDn0b6cw08td5NxRYePmb01Q5UbaTFx+fTuAB/N
9/Qusa7nnI7LzoZQ2BtOPBF3Y1UJdEyJzjSuTnWA6J43I3Xi678n+NwHnWSzlgGE
SmIjyVIPkuFKP9vHuYLpi7uJf2z8kNrhK+mPo9KMZiJaTid3+YgOfIdFxFZLyPqT
fBg61c2jWW7iN6ZFV+iPH9ZluUfkXMCDgGOsLR1qD5ViABiwZk+3dlof9nwn94Y+
jfwcsNl8YERh6ev/lbQxZ9/RzvyRPvNk+srIKRY71K70Dg==
-----END CERTIFICATE-----
---
Server certificate
subject=O = Verint, C = US, CN = 192.168.1.200, L = Columbia, OU = Verint

issuer=O = Verint, C = US, CN = 192.168.1.200, L = Columbia, OU = Verint

---
No client certificate CA names sent
---
SSL handshake has read 1258 bytes and written 613 bytes
Verification error: unsupported certificate purpose
---
New, TLSv1.2, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID:
CE62110F0FC98BF92D285826C94F8E243287309A5B8C685763E228E5A121B04C
    Session-ID-ctx:
    Master-Key:
1CD43EA64ED4BAABE3E2BD1B33BFFDDB3E9505D1BF786C5137E23D8FC10B117B6F05709A03312288FAAFFB0990258706
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 97 4d 2d 40 e0 55 22 0a-a0 9b a0 f6 76 03 a7 66   .M-@
.U".....v..f
    0010 - 1c 12 4d d7 d3 48 64 48-d3 86 b8 69 a2 02 74 64
..M..HdH...i..td
    0020 - a7 01 59 99 98 f1 a7 7b-e1 8d 64 ec 42 e1 d1 9b
..Y....{..d.B...
    0030 - 4d 7a e1 6b 01 8b 0d fd-b5 f0 59 b5 ba 9e d8 ab
Mz.k......Y.....
    0040 - 2f c4 59 9b 85 c6 78 09-28 da 86 ea a7 fe a0 53
/.Y...x.(......S
    0050 - 2e 74 2c 28 e2 91 f6 94-cc 35 7f 25 ab b1 b8 cd
.t,(.....5.%....
    0060 - 48 96 af 36 de 28 46 d6-65 ce 00 ac a0 df f5 d3
H..6.(F.e.......
    0070 - bd f3 bb 6c 79 e6 3d 69-9c 50 0a db 3b f2 7c f4
...ly.=i.P..;.|.
    0080 - 23 c9 29 62 b4 8c a5 55-70 ab 3d 18 1a f3 86 05
#.)b...Up.=.....
    0090 - b1 48 11 1d 29 d0 06 e5-df 32 3c fd 09 76 c7 55
.H..)....2<..v.U

    Start Time: 1626906266
    Timeout   : 7200 (sec)
    Verify return code: 26 (*unsupported certificate purpose*)
    Extended master secret: yes
---

Now I do not have access to the server but I would like to know what
"*unsupported
certificate purpose" *mean? Could anyone throw some light on this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210721/58555fc7/attachment.html>


More information about the openssl-users mailing list