search cancel

Extended key usage does not permit use for code signing


Article ID: 39822


Updated On:


CA Release Automation - Release Operations Center (Nolio) CA Release Automation - DataManagement Server (Nolio)



After going through the steps given here:

We are getting an error that prevents the loading of ASAP after successfully launching the https://<server>:8443 and clicking the link for Automation Studio and launching the jnlp. First it prompts saying that it is not trusted. Then it fails with: 


Application Blocked for Security 

Failed to validate certificate. 

The application will not be executed. 

Publisher: Nolio, Ltd. 


And we are prompted with two buttons: 

OK or More Information... 


When clicking more information button it gives these details: Extended key usage does not permit use for code signing



Release Automation Server 5.5.2



Using the commands in the "Additional Information" section below showed that the certificate/keystore used to sign the jar file (during the jarsigner step) had KeyUsage = critical and ExtendedKeyUsage = serverAuth. This combination is not allowed to sign code. 



To fix this problem either: 

  1. get a certificate with both serverAuth and codeSigning extensions; or
  2. get a completely different certificate that only has the codeSigning extension. 

Once you have either of these you can import the certificate into a java keystore to use with jarsigner. The fact that (b) uses a completely different keystore then is otherwise used for the rest of securing the UI is okay. You don't need to reference this codesigning keystore anywhere.


Additional Information

You should be able to use one of these two commands to confirm if this situation described above applies to your problem.

  1. keytool -list -v -keystore <yourkeystore>.jks
  2. openssl x509 -noout -text -in <your pem>.cert (assuming the signed public certificate you received is in x509/pem format) 



Component: RACORE