Solved

Resolving SSL error "The certificate is not valid for the requested usage"

Posted on 2011-09-17
2
1,789 Views
Last Modified: 2012-05-12
I am trying to upgrade an existing system from using plain unencrypted sockets to use SSL. The server is a java socket listener program (not http) and the client is developed in WinDev. WinDev accesses the personal store and apparently does not allow exceptions to security.

For testing purposes, I acquired an SSL certificate from StartSSL. My java server keystore shows the keypair for me and 2 certificates from StartSSL. The windows client has the cert imported into the personal and the Trusted Root Certification area. Windev recognizes the certs.

When the client attempts to connect to the new SSL server, it generates the error "The certificate is not valid for the requested usage".  From what I can tell, this is related to its purpose.  The certificate purpose states

Proves your identity to a remote computer
Protects e-mail messages

For testing/development, the client and server are localhost.

So my question is, what does this error really mean when using my own SSL Server and SSL client ?  How can this be resolved ?

0
Comment
Question by:Sarge516
2 Comments
 
LVL 13

Assisted Solution

by:Hugh McCurdy
Hugh McCurdy earned 100 total points
ID: 36555384
0
 
LVL 27

Accepted Solution

by:
dpearson earned 400 total points
ID: 36555500
Found this explanation on http://technet.microsoft.com/en-us/library/bb331963.aspx

The second section sounds like it may apply to you?  Either that or you're triggering this in the initial SSL handshake.

This status message indicates that you must enable the certificate for use in the current application. For example, if you're trying to use this certificate for Domain Security, the certificate must be enabled for SMTP.

For more information about how to enable certificates, see Enable-ExchangeCertificate.

Alternatively, this status message may indicate that the certificate that you're using doesn't have the correct data in the Enhanced Key Usage field. All certificates that are used for TLS must contain a Server Authentication object identifier (also known as OID). If you're trying to use a certificate for TLS that doesn't contain a Server Authentication OID in the Enhanced Key Usage Field, you must create a new certificate.


Are you going to use a library to implement the SSL protocol over a raw socket?  If not I'd suggest finding one and starting with their sample code.

Another option is to start by implementing a simple HTTPS server (even though that's not your eventual goal) - e.g. using Jetty - and then once you have that working correctly, start removing parts until you take over the SSL communication yourself.

Doug
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
Viewers will learn one way to get user input in Java. Introduce the Scanner object: Declare the variable that stores the user input: An example prompting the user for input: Methods you need to invoke in order to properly get  user input:
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question