Question on "unsupported certificate purpose" error when trying to read the certificate on the web server

Kyle Hamilton aerowolf at gmail.com
Thu Jul 22 00:02:17 UTC 2021


An EE certificate is an "end entity" certificate, which identifies an
entity that isn't a certifier.

On Wed, Jul 21, 2021, 18:23 Thejus Prabhu <tprabhu1989 at gmail.com> wrote:

> Thanks for your reply Viktor. I would like to add that this is a self
> signed certificate created on the server. What is EE certificate?
>
>
> On Wed, Jul 21, 2021 at 6:55 PM Viktor Dukhovni <
> openssl-users at dukhovni.org> wrote:
>
>> On Wed, Jul 21, 2021 at 06:34:03PM -0400, Thejus Prabhu wrote:
>>
>> > verify error:num=26:unsupported certificate purpose
>>
>> The certificate in question is CA certificate, not an EE certificate.
>> Specifically, the key usage and Netscape Cert Type signal that its
>> purpose is exclusively to be a CA, not a TLS server.
>>
>>     X509v3 Key Usage: critical
>>         Certificate Sign, CRL Sign
>>     Netscape Cert Type:
>>         SSL CA
>>
>> >   Certificate:
>> >       Data:
>> >           Version: 3 (0x2)
>> >           Serial Number: 1 (0x1)
>> >           Signature Algorithm: sha1WithRSAEncryption
>> >           Issuer: O = Verint, C = US, CN = 192.168.1.200, L = Columbia,
>> OU = Verint
>> >           Validity
>> >               Not Before: Jul 21 20:51:12 2021 GMT
>> >               Not After : Jul 21 20:51:12 2022 GMT
>> >           Subject: O = Verint, C = US, CN = 192.168.1.200, L =
>> Columbia, OU = Verint
>> >           Subject Public Key Info:
>> >               Public Key Algorithm: rsaEncryption
>> >                   RSA Public-Key: (2048 bit)
>> >                   Modulus:
>> >                       00:b8:e8:bd:08:10:e4:d9:2d:77:52:33:8c:15:30:
>> >                       cf:89:a0:d4:bd:95:85:15:ba:54:37:8d:5b:17:e4:
>> >                       4d:3f:a3:fb:0c:08:ee:7e:30:eb:5d:93:fd:db:f3:
>> >                       51:85:60:91:66:04:e1:b2:55:fd:5a:cf:c1:7c:3a:
>> >                       3b:4c:30:af:67:b8:2f:21:7c:42:a4:86:8e:d3:a8:
>> >                       ea:b2:8e:22:f3:b7:08:90:ec:8f:7a:20:1a:ae:44:
>> >                       45:8c:db:2c:ee:20:d9:56:7a:8b:b9:d0:b9:0b:5b:
>> >                       ac:7b:e0:f4:53:29:b4:06:cb:5e:fd:cf:87:b7:5d:
>> >                       9f:bb:e7:71:33:27:f8:b4:01:d5:78:75:5e:99:e1:
>> >                       dc:7d:5b:12:78:12:d6:38:07:f5:73:3c:8e:9b:62:
>> >                       d6:ae:30:f5:8f:31:7e:42:81:2d:10:b4:6a:2c:33:
>> >                       7c:48:db:95:9c:af:a9:ca:8b:92:c2:93:93:59:7a:
>> >                       a0:a6:42:dd:72:e8:b8:21:d8:75:05:7a:8f:47:19:
>> >                       ca:3d:ae:89:a6:d3:87:fc:2a:02:c4:49:58:28:05:
>> >                       d5:d2:a9:fc:f5:06:40:1e:35:38:2e:33:f3:31:f2:
>> >                       c9:a8:16:6e:b9:0a:42:95:6e:de:1f:f7:3e:2d:c8:
>> >                       34:64:00:77:d4:cf:5c:3d:28:78:ce:60:bd:e5:90:
>> >                       09:a9
>> >                   Exponent: 65537 (0x10001)
>> >           X509v3 extensions:
>> >               X509v3 Basic Constraints: critical
>> >                   CA:TRUE
>> >               X509v3 Key Usage: critical
>> >                   Certificate Sign, CRL Sign
>> >               X509v3 Subject Key Identifier:
>> >
>>  A2:FF:95:62:C7:85:BC:1A:FE:D5:0B:F8:F7:A8:B1:B4:BF:29:8B:7D
>> >               Netscape Cert Type:
>> >                   SSL CA
>> >               Netscape Comment:
>> >                   example comment extension
>> >       Signature Algorithm: sha1WithRSAEncryption
>> >            73:f4:61:1c:f1:b7:d3:c4:e2:ae:b1:ea:1e:3f:b2:6b:bc:f3:
>> >            85:80:a1:0d:a8:06:7e:5a:bd:2b:fe:13:ce:4d:80:4d:c8:3d:
>> >            4a:95:f9:ee:9c:19:1d:6b:b4:57:79:72:d9:00:e7:d1:be:9c:
>> >            c3:4f:2d:77:93:71:45:87:8f:99:bd:35:43:95:1b:69:31:71:
>> >            f9:f4:ee:00:1f:cd:f7:f4:2e:b1:ae:e7:9c:8e:cb:ce:86:50:
>> >            d8:1b:4e:3c:11:77:63:55:09:74:4c:89:ce:34:ae:4e:75:80:
>> >            e8:9e:37:23:75:e2:eb:bf:27:f8:dc:07:9d:64:b3:96:01:84:
>> >            4a:62:23:c9:52:0f:92:e1:4a:3f:db:c7:b9:82:e9:8b:bb:89:
>> >            7f:6c:fc:90:da:e1:2b:e9:8f:a3:d2:8c:66:22:5a:4e:27:77:
>> >            f9:88:0e:7c:87:45:c4:56:4b:c8:fa:93:7c:18:3a:d5:cd:a3:
>> >            59:6e:e2:37:a6:45:57:e8:8f:1f:d6:65:b9:47:e4:5c:c0:83:
>> >            80:63:ac:2d:1d:6a:0f:95:62:00:18:b0:66:4f:b7:76:5a:1f:
>> >            f6:7c:27:f7:86:3e:8d:fc:1c:b0:d9:7c:60:44:61:e9:eb:ff:
>> >            95:b4:31:67:df:d1:ce:fc:91:3e:f3:64:fa:ca:c8:29:16:3b:
>> >            d4:ae:f4:0e
>> >   -----BEGIN CERTIFICATE-----
>> >   MIIDrjCCApagAwIBAgIBATANBgkqhkiG9w0BAQUFADBaMQ8wDQYDVQQKDAZWZXJp
>> >   bnQxCzAJBgNVBAYTAlVTMRYwFAYDVQQDDA0xOTIuMTY4LjEuMjAwMREwDwYDVQQH
>> >   DAhDb2x1bWJpYTEPMA0GA1UECwwGVmVyaW50MB4XDTIxMDcyMTIwNTExMloXDTIy
>> >   MDcyMTIwNTExMlowWjEPMA0GA1UECgwGVmVyaW50MQswCQYDVQQGEwJVUzEWMBQG
>> >   A1UEAwwNMTkyLjE2OC4xLjIwMDERMA8GA1UEBwwIQ29sdW1iaWExDzANBgNVBAsM
>> >   BlZlcmludDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALjovQgQ5Nkt
>> >   d1IzjBUwz4mg1L2VhRW6VDeNWxfkTT+j+wwI7n4w612T/dvzUYVgkWYE4bJV/VrP
>> >   wXw6O0wwr2e4LyF8QqSGjtOo6rKOIvO3CJDsj3ogGq5ERYzbLO4g2VZ6i7nQuQtb
>> >   rHvg9FMptAbLXv3Ph7ddn7vncTMn+LQB1Xh1Xpnh3H1bEngS1jgH9XM8jpti1q4w
>> >   9Y8xfkKBLRC0aiwzfEjblZyvqcqLksKTk1l6oKZC3XLouCHYdQV6j0cZyj2uiabT
>> >   h/wqAsRJWCgF1dKp/PUGQB41OC4z8zHyyagWbrkKQpVu3h/3Pi3INGQAd9TPXD0o
>> >   eM5gveWQCakCAwEAAaN/MH0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
>> >   AQYwHQYDVR0OBBYEFKL/lWLHhbwa/tUL+PeosbS/KYt9MBEGCWCGSAGG+EIBAQQE
>> >   AwICBDAoBglghkgBhvhCAQ0EGxYZZXhhbXBsZSBjb21tZW50IGV4dGVuc2lvbjAN
>> >   BgkqhkiG9w0BAQUFAAOCAQEAc/RhHPG308TirrHqHj+ya7zzhYChDagGflq9K/4T
>> >   zk2ATcg9SpX57pwZHWu0V3ly2QDn0b6cw08td5NxRYePmb01Q5UbaTFx+fTuAB/N
>> >   9/Qusa7nnI7LzoZQ2BtOPBF3Y1UJdEyJzjSuTnWA6J43I3Xi678n+NwHnWSzlgGE
>> >   SmIjyVIPkuFKP9vHuYLpi7uJf2z8kNrhK+mPo9KMZiJaTid3+YgOfIdFxFZLyPqT
>> >   fBg61c2jWW7iN6ZFV+iPH9ZluUfkXMCDgGOsLR1qD5ViABiwZk+3dlof9nwn94Y+
>> >   jfwcsNl8YERh6ev/lbQxZ9/RzvyRPvNk+srIKRY71K70Dg==
>> >   -----END CERTIFICATE-----
>>
>> --
>>     Viktor.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210721/cc239fbd/attachment-0001.html>


More information about the openssl-users mailing list