8

I am provided CA Signed Server certificate, chain certificate and private key. From those, I created keystore using open SSL and secured the web application (HTTPS configuration in server.xml). However, when I tried to access web application via browser(Firefox), it gives out below error.

Secure Connection Failed
Certificate key usage inadequate for attempted operation. Error code: SEC_ERROR_INADEQUATE_KEY_USAGE

Certificates were initially in ".crt" and I tried after converting them to ".cer" as well. Still, the error complains something about "Key Usage". I ran following command to check certificate key usage and screenshot is attached.

openssl x509 -in ServerCertificate.cer -text -noout

enter image description here

Below is from Chain certificate;

enter image description here

Your help in resolving this issue is highly appreciated. [PS: Before configuring CA signed certificates, I created self signed certs and that configuration worked with no issue]

TylerH
  • 20,799
  • 66
  • 75
  • 101
Anuruddha
  • 1,367
  • 6
  • 19
  • 38
  • 1
    *"Certificate key usage inadequate for attempted operation"* - Which certificate did it fail on? CA, intermediate or server? Also see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) – jww Jun 08 '17 at 05:32
  • I think it is Server certificate. Keystore configuration in JBoss seems all fine. There are no errors shown in log on server start up. – Anuruddha Jun 08 '17 at 05:43
  • 1
    Without seeing the full certificate and the full chain, its hard for us to tell. *KU* and *EKU* look OK on the end-entity/server certificate. There are other minor irregularities, but nothing that should cause a hard failure. Are you certain the server certificate is the problem?? – jww Jun 08 '17 at 05:47
  • Do you have any idea how can I make sure the problem is with server certificate. I did a modulus comparison of Server cert & Pvt key. It matches – Anuruddha Jun 08 '17 at 05:48
  • @jww, Shouldn't "Certificate Signing" be included in key usage? This is included under KU in my previously used self signed certificate. – Anuruddha Jun 08 '17 at 06:15
  • I have added chain certificate KU to the main description.. Can you please check – Anuruddha Jun 08 '17 at 06:39
  • Please provide the entire certificate for each certificate in the chain. Start with the CA and finish with the end-entity certificate. Otherwise, reference the [CA/B Baseline Requirements](https://cabforum.org/baseline-requirements-documents/). The CA/B BR is what the browsers use for their PKI. Your certificates must conform if they are being consumed by browsers. – jww Jun 08 '17 at 06:58

3 Answers3

12

Delete the cert9.db , cert_override.txt files from your firefox profile.

ChAnDu353
  • 541
  • 7
  • 11
  • 5
    Instruction how to find this file: "You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page." – alanextar Nov 23 '20 at 17:17
  • Thanks - for me, it seems like those two files got corrupted somehow, deleting forces Firefox to re-recreate them. – Scott Stevens Dec 04 '22 at 00:46
1

The issue with the key store was, I have imported intermediate CA certificates under different aliases. What I did was put all certificates of the chain in one certificate and executed below commands. This fixed my problem.

openssl pkcs12 -export -name ALIAS -in "path to certificate bundle" -inkey "path to privkey" -out "keystore.p12"

keytool -importkeystore -srckeystore "keystore.p12" -srcstoretype pkcs12 -destkeystore "keystore.jks"
Anuruddha
  • 1,367
  • 6
  • 19
  • 38
0

Had the same issue with Thunderbird 78. I imported the profile from another computer where everything worked fine. Now on the new one the smtp server caused that mentioned error. Pulling emails from imap was fine, just sending caused that error message. For me the solution: close Thunderbird --- rename the file cert9.db in the root profile folder --- starting again Thunderbird and after getting a message of an untrusty cert just confirmed an exception for that one and after that action sending emails over that smtp server worked again.

Joachim Kemmries
  • 1