SAP Knowledge Base Article - Preview

1862321 - SSL handshake fails: Extension error: keyusage does not allow certificate signing

Symptom

  • An outgoing SSL connection from the Netweaver Application Server Java fails.
  • When the issue is reproduced with tracing activated as documented in KBA 1799620 - Logs required for analysis of SSL related issues - Netweaver AS Java as SSL client, the following traces can be found

Extension error: keyusage does not allow certificate signing
Exiting method
ssl_debug(n): Sending alert: Alert Fatal: bad certificate
ssl_debug(n): Shutting down SSL layer...
ssl_debug(n): SSLException while handshaking: Peer certificate rejected by ChainVerifier
ssl_debug(n): Closing transport...

 

Note: The error 'Peer certificate rejected by ChainVerifier' is written whenever there is a failure to verify the certificate or certificate chain sent by the server to which the outbound SSL connection attempt is made, and can occur for many different reasons. This document is only written for the very specific case where when the issue is reproduced with tracing activated, 'Extension error: keyusage does not allow certificate signing' can be found.


Read more...

Environment

  • SAP NetWeaver 7.0
  • SAP enhancement package 1 for SAP NetWeaver 7.0
  • SAP enhancement package 2 for SAP NetWeaver 7.0
  • SAP enhancement package 3 for SAP NetWeaver 7.0
  • SAP NetWeaver 7.3
  • SAP enhancement package 1 for SAP NetWeaver 7.3
  • SAP NetWeaver Composition Environment 7.1
  • SAP enhancement package 1 for SAP NetWeaver Composition Environment 7.1
  • SAP NetWeaver Composition Environment 7.2

Product

SAP NetWeaver 2004 ; SAP NetWeaver 7.0 ; SAP NetWeaver 7.3 ; SAP NetWeaver 7.4 ; SAP NetWeaver Application Server for Java 7.1 ; SAP NetWeaver Application Server for Java 7.2 ; SAP enhancement package 1 for SAP NetWeaver 7.0 ; SAP enhancement package 1 for SAP NetWeaver 7.3 ; SAP enhancement package 1 for SAP NetWeaver Application Server for Java 7.1 ; SAP enhancement package 2 for SAP NetWeaver 7.0 ; SAP enhancement package 3 for SAP NetWeaver 7.0

Keywords

iaik , KBA , BC-JAS-SEC-CPG , Cryptography , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.