[gnutls-help] Create csr with netscape extension = server

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Jun 12 11:12:28 CEST 2014

On Wed, Jun 11, 2014 at 7:50 PM,  <m.postman at mafrigo.net> wrote:
> Hi,
> i've been working on this problem quite long now.
> OpenLDAP on my OpenSuSE 13.1 is compiled with gnutls apparently.
> But connecting to the OpenLDAP server fails with the following message:
> # ldapsearch -h localhost -W -D uid=admin,dc=example,dc=net -b
> dc=example,dc=net -s sub "(uid=user1)" -v -ZZ
> ldap_initialize( ldap://localhost )
> ldap_start_tls: Connect error (-11)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unsupported
> certificate purpose)

This is not a gnutls error. Most likely is comes from openssl. My
guess would be that your server certificate doesn't have the correct
purpose set, or has some purpose set that is unknown to it.

> Tracking down this error lead to a missing "Netscape Extension" called
> "server".

I doubt that any software would use that extension. It has been dead
since a decade.
Most likely you need to consult the key purpose extensions. My guess
would be that it requires the "tls_www_server" option to the certtool


More information about the Gnutls-help mailing list