[Fedora-directory-users] NSPR "Certificate type not approved for application" error when a TLS-enabled proxy LDAP OpenLDAP server connects to Fedora Directory Server
Michael Ströder
michael at stroeder.com
Mon Apr 14 12:32:49 UTC 2008
Aleksander Adamowski wrote:
>
> However, whenever I try TLS on port 389 or SSL on port 636, OpenLDAP
> uses its server certificate during TLS/SSL negotiation and Fedora
> Directory decides that this certificate usage isn't good because it's
> not a client certificate. In FDS logs I can see:
> [..]
> [14/Apr/2008:11:33:33 +0200] conn=1474 Netscape Portable Runtime error
> -8101 (Certificate type not approved for application.); unauthenticated
> client E=some_email,CN=hostname,ETC,ETC,; issuer E=ISSUER_DATA
> [14/Apr/2008:11:33:33 +0200] conn=1474 op=-1 fd=65 closed - Certificate
> type not approved for application.
I guess this is because of wrong X.509v3 cert extensions. Maybe you
should post a text dump of the public-key cert.
openssl x509 -in certfilename.pem -noout -text
Ciao, Michael.
More information about the Fedora-directory-users
mailing list