ssl - Personal CA signed certificate for IIS giving "This Certificate is not valid for the selected purpose" error -


i created ca using openssl , used sign certificate localhost, , secondary dns entry on localhost, preview-localhost. have installed ca cert trusted root certificate on machine, , added localhost certificate iis. when view signed localhost certificate, see these errors:

signed localhost certificate signed localhost path

the installed ca cert says intended issuance , application policies on viewer. have included output both certificates openssl. have replaced sensitive (and insensitive information) <description text>.

ca certificate

certificate: data:     version: 3 (0x2)     serial number:         <serial number signature algorithm: sha256withrsaencryption     issuer: c=<country>, st=<state>, l=<ventura>, o=<myorganization>, ou=<some authority>, cn=<someauthority>/emailaddress=<email address>     validity         not before: apr 27 16:17:41 2015 gmt         not after : apr 24 16:17:41 2025 gmt     subject: c=<country>, st=<state>, l=<ventura>, o=<myorganization>, ou=<some authority>, cn=<someauthority>/emailaddress=<email address>     subject public key info:         public key algorithm: rsaencryption             public-key: (2048 bit)             modulus:                 <modulus>             exponent: <exponent>     x509v3 extensions:         x509v3 subject key identifier:             <subject key identifier>         x509v3 authority key identifier:             keyid:<keyid>         x509v3 basic constraints:             ca:true         x509v3 key usage:             digital signature, key encipherment         x509v3 subject alternative name:             dns:localhost, dns:preview-localhost signature algorithm: sha256withrsaencryption      <signature>

local host certificate

certificate: data:     version: 3 (0x2)     serial number:         <some serial number> signature algorithm: sha256withrsaencryption     issuer: c=<country>, st=<state>, l=<ventura>, o=<myorganization>, ou=<some authority>, cn=<someauthority>/emailaddress=<email address>     validity         not before: apr 27 18:09:18 2015 gmt         not after : apr 26 18:09:18 2016 gmt     subject: c=<country>, st=<state>, l=<ventura>, o=<myorganization>, cn=localhost/emailaddress=<email address>     subject public key info:         public key algorithm: rsaencryption             public-key: (4096 bit)             modulus:                 <modulus>             exponent: <exponent>     x509v3 extensions:         x509v3 basic constraints:             ca:false         x509v3 key usage:             digital signature, non repudiation, key encipherment         netscape comment:             openssl generated certificate         x509v3 subject key identifier:             <ski>         x509v3 authority key identifier:             keyid:<key id>          x509v3 subject alternative name:             dns:localhost, dns:preview-localhost signature algorithm: sha256withrsaencryption      <signature>

any figuring out why localhost certificate can't follow path ca appreciated. thank you!

you need specify following keyusage in x509_extensions section of openssl.cnf when creating ca:

keyusage = keycertsign, crlsign

for clarification, config file should contain following:

[ ca_default] ... x509_extensions = ca_extensions ... [ ca_extensions ] keyusage = keycertsign, crlsign ...

see how sign certificate signing request certification authority? detailed explanation of process.


-