We have client certificates set up and working for desktop browsers, but when using the same certificates that work on the desktop browser from an iPad, we get a "400: The SSL certificate error" in the browser, and the following in the log:
"18205#18205: *11 client SSL certificate verify error: (26:unsupported certificate purpose) while reading client request headers, client" "openssl x509 -purpose" for the cert used to create the pkcs12 file is: Certificate purposes: SSL client : Yes SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : Yes S/MIME signing CA : No S/MIME encryption : Yes S/MIME encryption CA : No CRL signing : Yes CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No Time Stamp signing : No Time Stamp signing CA : No Which appears to be the correct purpose, and it does work in regular browsers. We have a CA, and intermediate CA to sign the client certs and then the client cert itself. The command used to create the pkcs file is: openssl pkcs12 -export -out file.pk12 -inkey file.key -in file.crt -certfile ca.comb -nodes -passout pass:mypassword Where ca.comb is the file specified in the ssl_client_certificate directive, which contains the public certificates for the CA, and the intermediary CA. Since this works fine on desktop browsers, I'm not sure what to check. How can I figure out what is going wrong? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272444,272444#msg-272444 _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
