Re: Help with invalid certificate problem

[Vivek Kumar]

I am facing the same issue, client authentication working with IE but not with NSS/FF/Mozilla :

 

"Could not establish an encrypted connection because certificate presented by <server> is invalid or corrupted. Error code: 8102"
 

Could anyone please tell me how to change the extension of the server cert to include "Key encipherment" for KeyUsage? When creating the server cert I did not see any options to modify the attribute..

We have setup the CA using Entrust and uisng IIS 6.0 as the web-server,..

Please help, very new to CA/ SSL security,..

 

Regards,

Vivek

 

 

 

Simon Coffey wrote:
> I am looking into a problem that occurs with SSL certificates, when
> using Mozilla based browsers (actually, anything other than IE I think)
> and an SSL reverse proxy that is part of a firewall I support.

> Mozilla rejects the certificate offered as "invalid or corrupt".

> Full error: Could not establish an encrypted connection because
> certificate presented by <server> is invalid or corrupted. Error code:
> -8102.

> The firewall supplier doesnt seem to be that bothered about fixing this.
>   I thought I'd see if I couldnt identify exactly what is the problem
> and point this out to the supplier, perhaps then they might fix it.

> So, I don't know that much about SSL certs.  I was wondering whether
> anyone could take a look at the packet trace attached and suggest why
> Mozilla rejects the cert?

Nelson B wrote:

>I surely wish that Mozilla's security error messages would all display
>a readable and meaningful error message instead of a number.

>I didn't look at your packet trace, but I believe error -8102
>SEC_ERROR_INADEQUATE_KEY_USAGE means that either the SSL server cert itself
>or one of the issuing certificate authority (CA) certs in the "cert chain"
>for that server certificate has a "usage extension" that limits the purposes
>for which the cert can be used, and the allowed set of purposes (or "usages")
>doesn't include the purpose necessary to be an SSL server, or a CA for an SSL
>server (if it was a CA cert).  

>For an SSL server, the cert needs to be allowed "key encipherment" usage
>(asuming the public key is an RSA public key).  For a CA for an SSL server,
>the cert needs to be allowed "certificate signing" usage.  The certificate
>authority that issued the certificate controls those extensions, I believe,
>and if that party says that the cert isn't good for a certain purpose,
>Mozilla honors that.  Honoring certificate extensions is what PKI security
>software that handles certificates is expected to do, if I'm not mistaken.  
>Perhaps not all browsers do that though.  :)

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto