1044269 - sec_error_inadequate_key_usage error triggered by server cert with Certificate Sign among its key usages

Status: RESOLVED INVALID

(Core :: Security: PSM, defect)

Description

[Steven Michaud [:smichaud] (Retired)]

I get this error in recent mozilla-central nightlies visiting a local site in the "private" domain (the site has a private IP address, and is "www.bagend.private").

Neither the CA cert nor the server cert (for www.bagend.private) are expired, and (as best I can tell) both are perfectly well-formed.  (I'll attach their public certs later.)  I tested with a fresh profile, after having imported the CA's public key into Firefox's list of "Authorities" and trusting it fully (for all three purposes).

Comment 1

[Steven Michaud [:smichaud] (Retired)]

Attachment: CA public cert

Comment 2

[Steven Michaud [:smichaud] (Retired)]

Attachment: Server public cert

Comment 3

[Steven Michaud [:smichaud] (Retired)]

In case it's relevant:

My server is running the version of Apache that comes bundled with OS X 10.7 Server.  It seems properly configured, and works fine with other browsers (e.g. Safari and Chrome) and earlier versions of Firefox.

Comment 4

[Camilo Viecco (:cviecco)]

First 10,000 view. The server cert is asserting: Certificate Sign in its Key Usages. I am almost certain that this is now considered invalid for end-entities (as a precaution)

Comment 5

[Steven Michaud [:smichaud] (Retired)]

Actually this also happens with FF 31.  But not with FF 30.

Comment 6

[Steven Michaud [:smichaud] (Retired)]

> The server cert is asserting: Certificate Sign in its Key Usages.

OK, I'll try changing that and see what happens.  (I'm using openssl utilities to run what I call a "poor man's CA".  That gives me full control over the characteristics of the certs I create.)

Comment 7

[Steven Michaud [:smichaud] (Retired)]

I tried your suggestion and it worked like a charm.  Thanks!

A more informative error message would have helped, though.