Personal CA signed certificate for IIS giving "This Certificate is not valid for the selected purpose" error

Question

I created a CA using OpenSSL and used it to sign a certificate for my localhost, and also a secondary DNS entry on my localhost, preview-localhost. I have installed the CA cert into the Trusted Root Certificate on my machine, and added my localhost certificate to IIS. When I view the signed localhost certificate, I see these errors:

The installed CA cert says that it is intended for all issuance and application policies on its viewer. I have included the output for both certificates from OpenSSL. I have replaced any sensitive (and some insensitive information) with <description text>.

CA Certificate

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        <Serial Number
Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
OU=<Some Authority>, CN=<SomeAuthority>/emailAddress=<email address>
    Validity
        Not Before: Apr 27 16:17:41 2015 GMT
        Not After : Apr 24 16:17:41 2025 GMT
    Subject: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
OU=<Some Authority>, CN=<SomeAuthority>/emailAddress=<email address>
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
            Modulus:
                <Modulus>
            Exponent: <Exponent>
    X509v3 extensions:
        X509v3 Subject Key Identifier:
            <Subject Key Identifier>
        X509v3 Authority Key Identifier:
            keyid:<keyid>
        X509v3 Basic Constraints:
            CA:TRUE
        X509v3 Key Usage:
            Digital Signature, Key Encipherment
        X509v3 Subject Alternative Name:
            DNS:localhost, DNS:preview-localhost
Signature Algorithm: sha256WithRSAEncryption
     <Signature>

Local host certificate

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        <Some Serial Number>
Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
OU=<Some Authority>, CN=<SomeAuthority>/emailAddress=<email address>
    Validity
        Not Before: Apr 27 18:09:18 2015 GMT
        Not After : Apr 26 18:09:18 2016 GMT
    Subject: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
CN=localhost/emailAddress=<Email Address>
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (4096 bit)
            Modulus:
                <Modulus>
            Exponent: <Exponent>
    X509v3 extensions:
        X509v3 Basic Constraints:
            CA:FALSE
        X509v3 Key Usage:
            Digital Signature, Non Repudiation, Key Encipherment
        Netscape Comment:
            OpenSSL Generated Certificate
        X509v3 Subject Key Identifier:
            <SKI>
        X509v3 Authority Key Identifier:
            keyid:<KEY ID>

        X509v3 Subject Alternative Name:
            DNS:localhost, DNS:preview-localhost
Signature Algorithm: sha256WithRSAEncryption
     <Signature>

Any help figuring out why my localhost certificate can't follow the path to the CA would be very much appreciated. THANK YOU!

Answer 1

You probably need to specify the following keyUsage in the X509_extensions section of your openssl.cnf when creating your CA:

keyUsage = keyCertSign, cRLSign

For clarification, your config file should contain the following:

[ CA_default]
...
x509_extensions = ca_extensions
...
[ ca_extensions ]
keyUsage = keyCertSign, cRLSign
...

See How do you sign Certificate Signing Request with your Certification Authority? for a very detailed explanation of the process.