• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2490
  • Last Modified:

Resolving SSL error "The certificate is not valid for the requested usage"

I am trying to upgrade an existing system from using plain unencrypted sockets to use SSL. The server is a java socket listener program (not http) and the client is developed in WinDev. WinDev accesses the personal store and apparently does not allow exceptions to security.

For testing purposes, I acquired an SSL certificate from StartSSL. My java server keystore shows the keypair for me and 2 certificates from StartSSL. The windows client has the cert imported into the personal and the Trusted Root Certification area. Windev recognizes the certs.

When the client attempts to connect to the new SSL server, it generates the error "The certificate is not valid for the requested usage".  From what I can tell, this is related to its purpose.  The certificate purpose states

Proves your identity to a remote computer
Protects e-mail messages

For testing/development, the client and server are localhost.

So my question is, what does this error really mean when using my own SSL Server and SSL client ?  How can this be resolved ?

0
Sarge516
Asked:
Sarge516
2 Solutions
 
dpearsonCommented:
Found this explanation on http://technet.microsoft.com/en-us/library/bb331963.aspx

The second section sounds like it may apply to you?  Either that or you're triggering this in the initial SSL handshake.

This status message indicates that you must enable the certificate for use in the current application. For example, if you're trying to use this certificate for Domain Security, the certificate must be enabled for SMTP.

For more information about how to enable certificates, see Enable-ExchangeCertificate.

Alternatively, this status message may indicate that the certificate that you're using doesn't have the correct data in the Enhanced Key Usage field. All certificates that are used for TLS must contain a Server Authentication object identifier (also known as OID). If you're trying to use a certificate for TLS that doesn't contain a Server Authentication OID in the Enhanced Key Usage Field, you must create a new certificate.


Are you going to use a library to implement the SSL protocol over a raw socket?  If not I'd suggest finding one and starting with their sample code.

Another option is to start by implementing a simple HTTPS server (even though that's not your eventual goal) - e.g. using Jetty - and then once you have that working correctly, start removing parts until you take over the SSL communication yourself.

Doug
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now