Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Openssl invalid_purpose

Tags:

openssl

What certificate fields are looked when Openssl generates invalid_purpose?

I am generating the certificates using OpenSSL.

First I generate a master certificate, followed by client certificate. Now when I am trying to connect with server, it generates Invalid_Purpose.

like image 639
Habib Avatar asked Aug 09 '12 13:08

Habib

2 Answers

There's an extension keyUsage which specifies what can be done with the certificate. Note that some programs are not using this field.

From X509 documentation:

X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose
    the supplied certificate cannot be used for the specified purpose.

Man page x509v3_config(5) lists possible values for the parameter and also for another called extendedKeyUsage:

Key Usage.
    Key usage is a multi valued extension consisting of a list of names of
    the permitted key usages.

    The supporte names are: digitalSignature, nonRepudiation,
    keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign,
    encipherOnly and decipherOnly.

    Examples:
     keyUsage=digitalSignature, nonRepudiation
     keyUsage=critical, keyCertSign 

Extended Key Usage.
    This extensions consists of a list of usages indicating purposes for
    which the certificate public key can be used for,

    These can either be object short names of the dotted numerical form of
    OIDs.  While any OID can be used only certain values make sense. In
    particular the following PKIX, NS and MS values are meaningful:

     Value                  Meaning
     -----                  -------
     serverAuth             SSL/TLS Web Server Authentication.
     clientAuth             SSL/TLS Web Client Authentication.
     codeSigning            Code signing.
     emailProtection        E-mail Protection (S/MIME).
     timeStamping           Trusted Timestamping
     msCodeInd              Microsoft Individual Code Signing (authenticode)
     msCodeCom              Microsoft Commercial Code Signing (authenticode)
     msCTLSign              Microsoft Trust List Signing
     msSGC                  Microsoft Server Gated Crypto
     msEFS                  Microsoft Encrypted File System
     nsSGC                  Netscape Server Gated Crypto

    Examples:
     extendedKeyUsage=critical,codeSigning,1.2.3.4
     extendedKeyUsage=nsSGC,msSGC
like image 103
Edu Avatar answered Sep 27 '22 21:09

Edu

At the nuts and bolts level, the openssl.cnf values you used probably had some other kind of usage, like email. This is why they were invalid for the server connection you were trying to make.

Check your openssl.cnf contents, and look at the samples delivered in the OpenSSL sources for something likely to work with a stock TLS web server connecting to a conventional web browser.

like image 32
rsgmodelworks Avatar answered Sep 27 '22 23:09

rsgmodelworks
Sign in to Comment

Related questions

openssl: how to find the config options that openssl was compiled with
How to get the type of an EVP_PKEY?
Is this pdf digital signed correctly? PHP/TCPDF
Ruby SSL error - sslv3 alert unexpected message
openssl aes256 encryption of a file
Openssl and PHP
Interfacing with a Hardware Security Module on Linux
Use OpenSSL with a custom channel
How to programmatically check if a certificate has been revoked?
use libcryto.so and libssl.so in an android project?
Setting up httpS for multiple domain
How to extract exponent and modulus from a private key?
Trouble with Heroku SSL Endpoint
compile error using openssl
How to get SSL-Certificate sha1 fingerprint?
How to build OpenSSL as unversioned shared lib for Android?
SSLError: hostname "W.X.Y.Z" does not match the server certificate
Server with ECDHE key and cert not working
Compiling Httrack on MAC OS X
Using Ruby OpenSSL to download and read certificates

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!