Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>The standard normally used to validate a certificate are in <a href="http://tools.ietf.org/html/rfc5280" rel="nofollow">RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</a>. Certificates can have (at least) two extensions about their usage: <a href="http://tools.ietf.org/html/rfc5280#section-4.2.1.3" rel="nofollow">Key Usage</a> and <a href="http://tools.ietf.org/html/rfc5280#section-4.2.1.12" rel="nofollow">Extended Key Usage</a>.</p> <ul> <li>Key Usage</li> </ul> <p>The Key Usage extension doesn't talk specifically about client-certificates. However, if this extension is present, the <code>digitalSignature</code> flag must be set, since during the SSL/TLS handshake, the <code>CertificateVerify</code> TLS message is signed with the private key for this certificate. This is required according to this section of RFC 5280:</p> <blockquote> <p>The digitalSignature bit is asserted when the subject public key is used for verifying digital signatures, other than signatures on certificates (bit 5) and CRLs (bit 6), such as those used in an entity authentication service, a data origin authentication service, and/or an integrity service.</p> </blockquote> <p>(Most cipher suites will require <code>keyAgreement</code> too.)</p> <ul> <li>Extended Key Usage</li> </ul> <p>This one if more specific about client-certificates (if the extension is present, which is recommended but not always the case):</p> <blockquote> <pre><code> id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } -- TLS WWW client authentication -- Key usage bits that may be consistent: digitalSignature -- and/or keyAgreement </code></pre> </blockquote> <p>You can find more details about this in <a href="http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html" rel="nofollow">this NSS technical note</a> (this should apply across other products).</p> <p>When you get "<em>security: KeyUsage does not allow digital signatures</em>", it seems to indicate that the (non-extended) Key Usage is present in the certificate you're trying to use as a client-certificate, but that <code>digitalSignature</code> isn't enabled. (That's something that the CA the issued these certificates should have done.)</p> <p>This is not related to the applet. However, it's possible that the URL of the applet itself is protected with client-certificate authentication, which would fail because of these extensions.</p> <p>One the server side, since you're running this behind IIS, it's IIS that handles the TLS/SSL certificate verification. Apache Tomcat shouldn't really care about where it got the certificate from. (In Java, you'd be able to tweak the way you verify the certificate by configuring custom <code>TrustManager</code>s, but that would only apply if Java (JSSE) was handling the SSL/TLS connection itself; it doesn't apply when Tomcat is behind IIS, Apache Httpd or even when it uses APR.) I'm not sure how to configure this with IIS, but there is an option in <a href="http://technet.microsoft.com/en-us/library/cc725882%28WS.10%29.aspx#BKMK_2" rel="nofollow">netsh http add sslcert</a> called <code>[ usagecheck= ] enable | disable</code>, which sounds like it could help. It might be too lenient, though. (Use with caution.)</p> <p>This being said, it seems that you get the error on the client side, before the certificate is even sent. I must admit I haven't tried, but you might be able to use a specific <code>KeyManager</code> that would force the use of that certificate. I'm not entirely sure whether this would work.</p> <p>Just as a side note, signing applet is a different matter. To sign an applet, the certificate needs to have the Extended Key Usage for <em>anyExtendedKeyUsage</em> or for <em>id-kp-codeSigning</em>. (Signing will work otherwise, but running the applet won't.) You can find more information here: <a href="http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=5056088" rel="nofollow">http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=5056088</a></p>
    singulars
    1. This table or related slice is empty.
    1. POError: KeyUsage does not allow digital signatures - Java-applet + mutual SSL
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USBruno
    1. USBruno
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POError: KeyUsage does not allow digital signatures - Java-applet + mutual SSL
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUndeletion
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    1. COThanks alot Bruno for this great information! This will surely help us get much closer to finding the problem much faster. Now i will fokus on invstigating the KeyUsage flags and not so much the EKU.
      singulars
      1. PO
      1. USmagnus
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload