Apache SSL Certificate configuration - sec_error_inadequate_cert_type

Question

I think i messed up a little with my SSL certificates. We are using SSL Certificates for all OpenVPN clients (witch works perfectly), generated using the easy-rsa toolkit.

And now i want to use the same certificates for Web servers on the OpenVPN hosts

All Keys are 4096 bit long.

My idea is that mybe the Usage purpose is wrong for apache, but i am not quite sure.

root@howard~# openssl x509 -in howard.example.com.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15 (0xf)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AT, ST=STMK, L=Graz, O=Bee Company, OU=Root CA, CN=example.com/name=rootca/emailAddress=root@bee.example.com
        Validity
            Not Before: Aug 13 12:36:41 2013 GMT
            Not After : Aug 11 12:36:41 2023 GMT
        Subject: C=AT, ST=STMK, L=Graz, O=example.com.at, OU=changeme, CN=howard.example.com/name=howard.example.com/emailAddress=root@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    NOTHING_TO_READ_HERE :)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                Easy-RSA Generated Certificate
            X509v3 Subject Key Identifier:
                NOTHING_TO_READ_HERE :)
            X509v3 Authority Key Identifier:
                keyid:NOTHING_TO_READ_HERE :)
                DirName:/C=AT/ST=STMK/L=Graz/O=Bee Company/OU=Root CA/CN=example.com/name=rootca/emailAddress=root@bee.example.com
                serial:NOTHING_TO_READ_HERE :)

            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 Key Usage:
                Digital Signature
    Signature Algorithm: sha1WithRSAEncryption

I have no idea how to change/add the purpose of a key when i am generating it with the easy-rsa toolkit.

All i do when generating a new OpenVPN certificate:

cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/
vi vars
. ./vars
./build-key CLIENTNAME

And inside the vars file i couldn't find anything.

But Firefox is returning an

sec_error_inadequate_cert_type

Microsoft's IE just prompts me over and over again if I really trust this certificate...

Any ideas on what i did wrong, or what i need to do?

My idea would be that apache cant handle 4096 bit Keys...

Answer 1

I have run into the same issue but by fooling around with the openssl.config included in OpenVPN easyrsa I have found that you can use the ./build-key-server script (sorry If I am not accurate but I am using OpenVPN over Windows) works like a charm :)

Answer 2

Actually, you can do this with easy-rsa - just use build-key-server rather than build-key

Answer 3

Your key usage and extended key usages are clearly not for a TLS server:

        X509v3 Extended Key Usage:
            TLS Web Client Authentication
        X509v3 Key Usage:
            Digital Signature

For a web server you'd obviously want the "TLS Web Server Authentication" extended key usage.

For the key usage, it's less obvious, but you'd want the Key Encipherment too.

More details:

• NSS Tech Note 3
• These questions on Security.SE: Extensions for SSL server certificate and Which key usages are required by each key exchange method?