#StackBounty: Nginx gives "unsupported certificate purpose" for a client certificate from an iPad, but the same cert works fine on desktop browsers?

Bounty: 50

Our company’s web application uses client certificates to authenticate. We want to add some iPad clients to the mix for inventory counting, etc. Client certificate authentication is working just fine in desktop browsers, but when we use the exact same certificate that works in a desktop browser on an iPad, we get this error in nginx:

7200#7200: *2 client SSL certificate verify error: (26:unsupported certificate purpose) while reading client request headers

Nginx returns a 400 bad request “The SSL Certificate Error” to the iPad client.

The CA public cert and intermediate CA cert is installed on the iPad, and installed on the server as well. Again, client certificate authentication works just fine for desktop browsers with our setup.

Is this an iPad problem, an nginx problem, or a certificate problem? And how can we troubleshoot and solve it?

Updating with more information:

openssl x509 -purpose for the cert used to create the pkcs file is:

Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

… which appears correct.

The command used to create the pkcs file is:

openssl pkcs12 -export -out file.pk12 -inkey file.key -in file.crt -nodes -passout pass:mypassword

The iPad install profile dialog claims the Identity Certificate is not signed, but lets me install it.

Update 2

Possible clue:

When you view the certificate details on the iPad after it is installed, the iPad says “signed by” and lists the certificates own name. When you view the certificate in Firefox, Firefox shows the correct CA in the Issued By field. I’m not sure if this is an iPad glitch or the certificate isn’t signed right.

Here’s the exact code (with file names simplified) used to create and sign the certificates:

openssl genrsa -out file.key 4096

openssl req -new -key file.key -out file.csr -subj "$DN"

openssl x509 -req -days 365 -in file.csr -CA ca.crt -CAkey ca.key -set_serial $SerialNumber -out file.crt

openssl pkcs12 -export -out file.pk12 -inkey file.key -in file.crt -certfile ca.pem -nodes -passout pass:secret 2>&1

Notes: $DN and $SerialNumber are generated by PHP and are omitted here. ca.pem is the certificate authority’s key and public cert combined into one file.

Get this bounty!!!

Leave a Reply