[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ogsa-alpha] keyCertSign not asserted
Hi,
I have a problem when trying to run GT3-alpha on my box. I use
user-cert signed by Globus CA, but host-cert signed by another CA.
I get following exception:
[java] org.globus.gsi.proxy.ProxyPathValidatorException: [Root error message:
Key Usage present but keyCertSign not asserted] [Root exception is
COM.claymoresystems.cert.CertificateVerifyException: Key Usage present but
keyCertSign not asserted]
[java] COM.claymoresystems.cert.CertificateVerifyException: Key Usage present
but keyCertSign not asserted
[java] at COM.claymoresystems.cert.X509Cert.checkKeyUsage(X509Cert.java:551)
The host certificate has following extensions:
Issuer: C=CZ, O=GridLab, CN=GridLab Certification Authority
Subject: O=Grid, O=GridLab, CN=host/acrab.ics.muni.cz
X509v3 extensions:
X509v3 Subject Key Identifier:
AA:94:C6:57:42:1D:4D:CB:D7:38:80:98:1A:DE:4C:F8:F3:F9:79:6A
X509v3 Authority Key Identifier:
keyid:B9:1F:5B:B8:92:4F:CF:C3:FB:5C:84:A2:14:2F:0B:2D:92:A3:0F:2E
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
email:root@acrab.ics.muni.cz, DNS:acrab.ics.muni.cz
I guess that the exception is complaining about host-cert having the
"X509v3 Key Usage" certificate extension, which doesn't include
some flag allowing certificate signing. But my CA refuses to
add it, because then I would become a CA myself, which sounds
reasonable.
Is this a bug in the GT3 security layer or am I missing something ?
Thanks
Martin
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Supercomputing Center Brno Martin Kuba
Institute of Computer Science email: makub@ics.muni.cz
Masaryk University http://www.ics.muni.cz/~makub/
Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
--------------------------------------------------------------