Solved

Resolving SSL error "The certificate is not valid for the requested usage"

Posted on 2011-09-17
2
1,928 Views
Last Modified: 2012-05-12
I am trying to upgrade an existing system from using plain unencrypted sockets to use SSL. The server is a java socket listener program (not http) and the client is developed in WinDev. WinDev accesses the personal store and apparently does not allow exceptions to security.

For testing purposes, I acquired an SSL certificate from StartSSL. My java server keystore shows the keypair for me and 2 certificates from StartSSL. The windows client has the cert imported into the personal and the Trusted Root Certification area. Windev recognizes the certs.

When the client attempts to connect to the new SSL server, it generates the error "The certificate is not valid for the requested usage".  From what I can tell, this is related to its purpose.  The certificate purpose states

Proves your identity to a remote computer
Protects e-mail messages

For testing/development, the client and server are localhost.

So my question is, what does this error really mean when using my own SSL Server and SSL client ?  How can this be resolved ?

0
Comment
Question by:Sarge516
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 13

Assisted Solution

by:Hugh McCurdy
Hugh McCurdy earned 100 total points
ID: 36555384
0
 
LVL 27

Accepted Solution

by:
dpearson earned 400 total points
ID: 36555500
Found this explanation on http://technet.microsoft.com/en-us/library/bb331963.aspx

The second section sounds like it may apply to you?  Either that or you're triggering this in the initial SSL handshake.

This status message indicates that you must enable the certificate for use in the current application. For example, if you're trying to use this certificate for Domain Security, the certificate must be enabled for SMTP.

For more information about how to enable certificates, see Enable-ExchangeCertificate.

Alternatively, this status message may indicate that the certificate that you're using doesn't have the correct data in the Enhanced Key Usage field. All certificates that are used for TLS must contain a Server Authentication object identifier (also known as OID). If you're trying to use a certificate for TLS that doesn't contain a Server Authentication OID in the Enhanced Key Usage Field, you must create a new certificate.


Are you going to use a library to implement the SSL protocol over a raw socket?  If not I'd suggest finding one and starting with their sample code.

Another option is to start by implementing a simple HTTPS server (even though that's not your eventual goal) - e.g. using Jetty - and then once you have that working correctly, start removing parts until you take over the SSL communication yourself.

Doug
0

Featured Post

Enroll in June's Course of the Month

June's Course of the Month is now available! Every 10 seconds, a consumer gets hit with ransomware. Refresh your knowledge of ransomware best practices by enrolling in this month's complimentary course for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question