Extended key usage does not permit use for code signing

book

Article ID: 39822

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio) CA Release Automation - DataManagement Server (Nolio)

Issue/Introduction

Problem 

After going through the steps given here: 

https://docops.ca.com/ca-release-automation/5-5-2/en/installation/ca-release-automation-communications-security/secure-communications

We are getting an error that prevents the loading of ASAP after successfully launching the https://<server>:8443 and clicking the link for Automation Studio and launching the jnlp. First it prompts saying that it is not trusted. Then it fails with: 

 

Application Blocked for Security 

Failed to validate certificate. 

The application will not be executed. 

Publisher: Nolio, Ltd. 

 

And we are prompted with two buttons: 

OK or More Information... 

 

When clicking more information button it gives these details: 

sun.security.validator.ValidatorException: Extended key usage does not permit use for code signing

 

Environment

Release Automation Server 5.5.2

 

Cause

Using the commands in the "Additional Information" section below showed that the certificate/keystore used to sign the jar file (during the jarsigner step) had KeyUsage = critical and ExtendedKeyUsage = serverAuth. This combination is not allowed to sign code. 

 

Resolution

To fix this problem either: 

  1. get a certificate with both serverAuth and codeSigning extensions; or
  2. get a completely different certificate that only has the codeSigning extension. 

Once you have either of these you can import the certificate into a java keystore to use with jarsigner. The fact that (b) uses a completely different keystore then is otherwise used for the rest of securing the UI is okay. You don't need to reference this codesigning keystore anywhere.

 

Additional Information

You should be able to use one of these two commands to confirm if this situation described above applies to your problem.

  1. keytool -list -v -keystore <yourkeystore>.jks
  2. openssl x509 -noout -text -in <your pem>.cert (assuming the signed public certificate you received is in x509/pem format) 

 

Environment

Release:
Component: RACORE