Description

This document details what needs to be done when you see a warning or error message stating that there is a certificate error.

Solution

Sometimes while using 3rd party certificates for the DSAs you may come across errors such as the following:

WARN: TLS/SSL handshake failed for call from
WARNING: verify error: unsupported certificate purpose
WARNING: ssld_ssl_request failed - certificate error?
or
WARNING: Verify error 26: unsupported certificate purpose

These messages indicate that one of the following could be wrong:

1. Incorrect or missing "Key agreement" in the certificate.
2. Incorrect or missing "key exchange" in the certificate.
3. Incorrect or missing "Enhanced key exchange" in the certificate.

If this is the case then you will need to contact the Issuing Certificate Authority and see which key usage extension flags need to be set to support the "Key Agreement, Key Exchange and Enhanced Key Exchange" certificate purposes. The certificates will then need to be regenerated for each DSA. The old certificates will need to be removed and replaced by the newly generated certificates. The DSA certificates are located by default under the DXHOME/dxserver/config/ssld/personalities folder. A copy of the third party CA certificate should be stored in the DXHOME/dxserver/config/ssld/trusted.pem file or whichever CA certificate file your SSL Daemon is configured to trust.

For more information on Certificate extensions and Key Usages please see: http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html