NSS PKINIT requires nsCertType extension?
Matt Rogers
mrogers at redhat.com
Tue Jan 31 10:09:57 EST 2017
When building with --with-pkinit-crypto-impl=nss and running the test
suite, I found that PKINIT related tests fail on certificate
verification (either client or KDC certificate depending on the test)
with SEC_ERROR_INADEQUATE_CERT_TYPE : "Certificate type not approved
for application." It turns out NSS is expecting the Netscape
certificate type extension (nsCertType = client/server in
openssl.cnf), and adding it to the test certificates made the tests
pass. Is this expected, or documented anywhere? I've not seen
nsCertType required for SSLClient and SSLServer usage profiles before,
so I'm not sure why it is expected here. My version of NSS is 3.27 by
the way.
Regards,
Matt
More information about the krbdev
mailing list