[Help-gnutls] Re: Key usage violation in certificate

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Jun 1 22:41:37 CEST 2009


On 05/30/2009 07:05 PM, Roland Winkler wrote:

> 		Unknown extension 2.16.840.1.113730.1.13 (not critical):
> 			ASCII: .!YaST Generated Server Certificate
> 			Hexdump: 1621596153542047656e65726174656420536572766572204365727469666963617465
 [...]
> 		Key Usage (not critical):
> 			Key encipherment.

this looks to have been created by YaST, and it seems to be set up
oddly: RFC 5280 suggests that the keyUsage extension SHOULD be critical,
and if the service was configured (maybe also by YaST), it should maybe
have been configured to match.

I've opened https://bugzilla.novell.com/show_bug.cgi?id=508844 to
suggest that YaST should behave differently.  Roland, if you can follow
up there with more details about how the cert in question was created
and how the service was configured, we might be able to prevent this
from tripping up other folks in the future.

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090601/8db664a6/attachment.pgp>


More information about the Gnutls-help mailing list