Firefox SEC_ERROR_INADEQUATE_CERT_TYPE with NO Enhanced Key Usage

Question

I have spent my entire afternoon trying to create a CA that Firefox will work with, every attempt has worked with:

• Microsoft Edge
• Microsoft IE 11
• Google Chrome 59
• Opera 46
• wget 1.17.1
• curl 7.47.0

... but not Firefox 54.0.1 which just consistently throws SEC_ERROR_INADEQUATE_CERT_TYPE and refuses to talk to the server. I've removed the Enhanced Key Usage of All Application Policies from Root CA as per https://bugzilla.mozilla.org/show_bug.cgi?id=1049176, but it still doesn't work..... What am I missing? I'm out of ideas....

Latest attempt

Apologies for this massive section, but this is everything Windows will tell me about the current attempt to make this work; hopefully someone will spot what the issue is!!!

Root CA

• Version: V3
• Serial: ‎33 9c 48 f4 0a 2f fc 4e
• Signature Alogr: sha256RSA
• Signature Hash Algor.: sha256
• Issuer: C=GB, O=Org Name Here, CN=Org Name Root CA
• Valid From: ‎02 ‎July ‎2017 19:38:24
• Valid To: ‎02 ‎July ‎2047 19:38:24
• Subject: C=GB, O=Org Name Here, CN=Org Name Root CA
• Public Key: RSA 2048-bit
• Public Key Params: 05 00
• Authority Key Identifier: KeyID=d3 f2 2f 78 c2 db 20 d7 63 72 fd d8 54 be 75 2c fe ef d3 3f
• Certificate Policies: [1]Certificate Policy: Policy Identifier=1.3.6.1.4.1.[OrgPEN].1.1 [1,1]Policy Qualifier Info: Policy Qualifier Id=CPS Qualifier: http://pki.orgname.fqdn/cps
• Subject Key ID: d3 f2 2f 78 c2 db 20 d7 63 72 fd d8 54 be 75 2c fe ef d3 3f
• Basic Constraints: Subject Type=CA Path Length Constraint=None

Issuing CA

• Version: V3
• Serial: ‎15 6c 30 6d d8 f1 eb b0
• Signature Alogr: sha256RSA
• Signature Hash Algor.: sha256
• Issuer: C=GB, O=Org Name Here, CN=Org Name Root CA
• Valid From: ‎02 ‎July ‎2017 19:40:02
• Valid To: ‎02 ‎July ‎2027 19:40:02
• Subject: C=GB, O=Org Name Here, CN=Org Name Issuing CA
• Public Key: RSA 2048-bit
• Public Key Params: 05 00
• Authority Key Identifier: KeyID=d3 f2 2f 78 c2 db 20 d7 63 72 fd d8 54 be 75 2c fe ef d3 3f
• Authority Information Access: [1]Authority Information Access Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2) Alternative Name: URL=http://pki.orgname.fqdn/aia/OrgName-RootCA.crt [2]Authority Information Access Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1) Alternative Name: URL=http://pki.orgname.fqdn/ocsp
• Certificate Policies: [1]Certificate Policy: Policy Identifier=1.3.6.1.4.1.[OrgPEN].1.1 [1,1]Policy Qualifier Info: Policy Qualifier Id=CPS Qualifier: http://pki.orgname.fqdn/cps
• Enhanced Key Usage: Any Purpose (2.5.29.37.0)
• CRL Distribution Points: [1]CRL Distribution Point Distribution Point Name: Full Name: URL=http://pki.orgname.fqdn/cdp/OrgName-RootCA.crl CRL Issuer: Directory Address: C=GB O=Org Name Here CN=OrgName Root CA
• Subject Key ID: 47 42 f0 e5 bb 39 76 9d ed 94 ca a6 b6 50 fb 24 37 19 a0 3a
• Basic Constraints: Subject Type=CA Path Length Constraint=None
• Key Usage: Certificate Signing, Off-line CRL Signing, CRL Signing (06)

Test Web Server Certificate

• Version: V3
• Serial: ‎‎50 f6 be 8d ab db df 21
• Signature Alogr: sha256RSA
• Signature Hash Algor.: sha256
• Issuer: C=GB, O=Org Name Here, CN=Org Name Root CA
• Valid From: ‎02 ‎July ‎2017 19:48:11
• Valid To: ‎‎02 ‎July ‎2019 19:48:11
• Subject: C=GB, O=Org Name Here, CN=servername.orgname.fqdn
• Public Key: RSA 2048-bit
• Public Key Params: 05 00
• Authority Key Identifier:KeyID=47 42 f0 e5 bb 39 76 9d ed 94 ca a6 b6 50 fb 24 37 19 a0 3a
• Authority Information Access: [1]Authority Information Access Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2) Alternative Name: URL=http://pki.orgname.fqdn/aia/OrgName-IssuingCA.crt [2]Authority Information Access Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1) Alternative Name: URL=http://pki.orgname.fqdn/ocsp
• Freshest CRL: [1]Freshest CRL Distribution Point Name: Full Name: URL=http://pki.orgname.fqdn/cdp/OrgName-IssuingCA-Delta.crl
• Subject Alt Names: DNS Name=servername.orgname.fqdn DNS Name=freindlyname.orgname.fqdn IP Address=192.0.2.4 IP Address=2001:DB8:1234:4321:0000:0000:0000:1234
• Certificate Policies: [1]Certificate Policy: Policy Identifier=1.3.6.1.4.1.[OrgPEN].1.1 [1,1]Policy Qualifier Info: Policy Qualifier Id=CPS Qualifier: http://pki.orgname.fqdn/cps
• Enhanced Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1)
• CRL Distribution Points: [1]CRL Distribution Point Distribution Point Name: Full Name: URL=http://pki.orgname.fqdn/cdp/OrgName-IssuingCA.crl CRL Issuer: Directory Address: C=GB O=Org Name Here CN=OrgName Root CA
• Subject Key ID: b9 50 13 7d bc eb dd 92 b9 03 b7 86 e0 00 dc f7 2f ea 56 20
• Basic Constraints: Subject Type=End Entity Path Length Constraint=None
• Key Usage: Digital Signature, Key Encipherment (a0)

Why is it always Firefox that causes problems??? Even Edge works.....

Answer 1

I have found the issue, I had accidentally included the Authority Key Identifier extension on the Root CA, which upset Firefox, presumably as it pointed to itself, all the other browsers must of spotted it shouldn't be there and ignored it!