Certificate does not support digital signatures error "KeyUsage does not allow digital signatures"
search cancel

Certificate does not support digital signatures error "KeyUsage does not allow digital signatures"

book

Article ID: 386739

calendar_today

Updated On:

Products

CA Directory CA Identity Manager CA Identity Suite CA Identity Portal Advanced Authentication Mainframe

Issue/Introduction

When enabling TLS to the CA Directory LDAP, we encountered an issue because the certificate does not support digital signatures.

How can we determine the requirements/attributes that an SSL certificate needs to function correctly? 

In the log we see:

ERROR [com.ca.commons.security.ssl.CustomDefaultStoreSSLSocketFactory] (http-0.0.0.0:8080-1) Failed to verify server certificate chain: sun.security.validator.ValidatorException: KeyUsage does not allow digital signatures

Environment

CA Directory 14.1.X

Resolution

Depending to TLS and Java version and which RFC it adheres to you need to make sure that certificates used have KeyUsage digitalSignature enabled.

Additional Information

Overall process of certificate validation, as well as SSL initiation is handled by JVM - Java used by application server - like Identity Manager of Advanced Authentication.

For a bit of context:

https://www.rfc-editor.org/rfc/rfc5280

4.2.1.3.  Key Usage

   The key usage extension defines the purpose (e.g., encipherment,
   signature, certificate signing) of the key contained in the
   certificate.  The usage restriction might be employed when a key that
   could be used for more than one operation is to be restricted.  For
   example, when an RSA key should be used only to verify signatures on
   objects other than public key certificates and CRLs, the
   digitalSignature and/or nonRepudiation bits would be asserted.
   Likewise, when an RSA key should be used only for key management, the
   keyEncipherment bit would be asserted.
   Conforming CAs MUST include this extension in certificates that
   contain public keys that are used to validate digital signatures on
   other public key certificates or CRLs.  When present, conforming CAs
   SHOULD mark this extension as critical.

      id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }

      KeyUsage ::= BIT STRING {
           digitalSignature        (0),
           nonRepudiation          (1), -- recent editions of X.509 have
                                -- renamed this bit to contentCommitment
           keyEncipherment         (2),
           dataEncipherment        (3),
           keyAgreement            (4),
           keyCertSign             (5),
           cRLSign                 (6),
           encipherOnly            (7),
           decipherOnly            (8) }

   Bits in the KeyUsage type are used as follows:

      The digitalSignature bit is asserted when the subject public key
      is used for verifying digital signatures, other than signatures on
      certificates (bit 5) and CRLs (bit 6), such as those used in an
      entity authentication service, a data origin authentication
      service, and/or an integrity service.
Powered by Wolken Software