NSS PKINIT requires nsCertType extension?

Matt Rogers mrogers at redhat.com
Tue Jan 31 10:09:57 EST 2017

When building with --with-pkinit-crypto-impl=nss and running the test
suite, I found that PKINIT related tests fail on certificate
verification (either client or KDC certificate depending on the test)
with SEC_ERROR_INADEQUATE_CERT_TYPE : "Certificate type not approved
for application." It turns out NSS is expecting the Netscape
certificate type extension (nsCertType = client/server in
openssl.cnf), and adding it to the test certificates made the tests
pass. Is this expected, or documented anywhere? I've not seen
nsCertType required for SSLClient and SSLServer usage profiles before,
so I'm not sure why it is expected here. My version of NSS is 3.27 by
the way.


More information about the krbdev mailing list