Our company’s web application uses client certificates to authenticate. We want to add some iPad clients to the mix for inventory counting, etc. Client certificate authentication is working just fine in desktop browsers, but when we use the exact same certificate that works in a desktop browser on an iPad, we get this error in nginx:
7200#7200: *2 client SSL certificate verify error: (26:unsupported certificate purpose) while reading client request headers
Nginx returns a 400 bad request “The SSL Certificate Error” to the iPad client.
The CA public cert and intermediate CA cert is installed on the iPad, and installed on the server as well. Again, client certificate authentication works just fine for desktop browsers with our setup.
Is this an iPad problem, an nginx problem, or a certificate problem? And how can we troubleshoot and solve it?
Updating with more information:
openssl x509 -purpose for the cert used to create the pkcs file is:
Certificate purposes: SSL client : Yes SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : Yes S/MIME signing CA : No S/MIME encryption : Yes S/MIME encryption CA : No CRL signing : Yes CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No Time Stamp signing : No Time Stamp signing CA : No
… which appears correct.
The command used to create the pkcs file is:
openssl pkcs12 -export -out file.pk12 -inkey file.key -in file.crt -nodes -passout pass:mypassword
The iPad install profile dialog claims the Identity Certificate is not signed, but lets me install it.
When you view the certificate details on the iPad after it is installed, the iPad says “signed by” and lists the certificates own name. When you view the certificate in Firefox, Firefox shows the correct CA in the
Issued By field. I’m not sure if this is an iPad glitch or the certificate isn’t signed right.
Here’s the exact code (with file names simplified) used to create and sign the certificates:
openssl genrsa -out file.key 4096 openssl req -new -key file.key -out file.csr -subj "$DN" openssl x509 -req -days 365 -in file.csr -CA ca.crt -CAkey ca.key -set_serial $SerialNumber -out file.crt openssl pkcs12 -export -out file.pk12 -inkey file.key -in file.crt -certfile ca.pem -nodes -passout pass:secret 2>&1
Notes: $DN and $SerialNumber are generated by PHP and are omitted here. ca.pem is the certificate authority’s key and public cert combined into one file.