Solved

Resolving SSL error "The certificate is not valid for the requested usage"

Posted on 2011-09-17
2
1,678 Views
Last Modified: 2012-05-12
I am trying to upgrade an existing system from using plain unencrypted sockets to use SSL. The server is a java socket listener program (not http) and the client is developed in WinDev. WinDev accesses the personal store and apparently does not allow exceptions to security.

For testing purposes, I acquired an SSL certificate from StartSSL. My java server keystore shows the keypair for me and 2 certificates from StartSSL. The windows client has the cert imported into the personal and the Trusted Root Certification area. Windev recognizes the certs.

When the client attempts to connect to the new SSL server, it generates the error "The certificate is not valid for the requested usage".  From what I can tell, this is related to its purpose.  The certificate purpose states

Proves your identity to a remote computer
Protects e-mail messages

For testing/development, the client and server are localhost.

So my question is, what does this error really mean when using my own SSL Server and SSL client ?  How can this be resolved ?

0
Comment
Question by:Sarge516
2 Comments
 
LVL 13

Assisted Solution

by:Hugh McCurdy
Hugh McCurdy earned 100 total points
Comment Utility
0
 
LVL 26

Accepted Solution

by:
dpearson earned 400 total points
Comment Utility
Found this explanation on http://technet.microsoft.com/en-us/library/bb331963.aspx

The second section sounds like it may apply to you?  Either that or you're triggering this in the initial SSL handshake.

This status message indicates that you must enable the certificate for use in the current application. For example, if you're trying to use this certificate for Domain Security, the certificate must be enabled for SMTP.

For more information about how to enable certificates, see Enable-ExchangeCertificate.

Alternatively, this status message may indicate that the certificate that you're using doesn't have the correct data in the Enhanced Key Usage field. All certificates that are used for TLS must contain a Server Authentication object identifier (also known as OID). If you're trying to use a certificate for TLS that doesn't contain a Server Authentication OID in the Enhanced Key Usage Field, you must create a new certificate.


Are you going to use a library to implement the SSL protocol over a raw socket?  If not I'd suggest finding one and starting with their sample code.

Another option is to start by implementing a simple HTTPS server (even though that's not your eventual goal) - e.g. using Jetty - and then once you have that working correctly, start removing parts until you take over the SSL communication yourself.

Doug
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Viewers learn how to read error messages and identify possible mistakes that could cause hours of frustration. Coding is as much about debugging your code as it is about writing it. Define Error Message: Line Numbers: Type of Error: Break Down…
This tutorial will introduce the viewer to VisualVM for the Java platform application. This video explains an example program and covers the Overview, Monitor, and Heap Dump tabs.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now