04-21-2017 08:25 AM - edited 03-18-2019 01:02 PM
Hi All,
I'm hoping someone can help and point in the right direction here.
I am building 3 CMS servers, and am attempting to cluster the database. I have issued the CSRs based on the Cisco/Acano documentation, but when I initialse the cluster, I am getting the below error
ERROR: Extended key usages of client certificate 'DBClusterClient.cer' does not specify Client Authentication (Expected 'clientAuth' found 'serverAuth')
In the Certificate Guidlines documentation, it says
If using“ExtendedKeyUsage”, ensure “ClientAuthentication” is allowed for the database client.
Where is this configure/allowed. Is it an attribute you include in the CSR? Or is this done on the CA server?
Thanks in anticipation
Glyn
04-21-2017 02:53 PM
If you check the details of the certificate, under Enhanced Key Usage, you should see: Server Authentication and Client Authentication.
When you created the CSR what CertificateTemplate did you use?
To generate a CSR with Server Authentication and Client Authentication, you should use "Webclientandserver". My guess is you used "WebServer", which is Server Authentication only.
04-21-2017 11:58 PM
Thanks for your response Patrick. This makes a lot of sense. The customer is signing the csr, so I will share this with them and come back to you with the results.
Thanks again.
Glyn
04-24-2017 09:38 AM
hi Patrick,
The customer doesn't have an option for, or official template called "Webclientandserver". Is this something they will need to create?
Or is it likely to be the one below?
Workstation Authentication |
Enables client computers to authenticate their identity to servers. |
Thanks
Glyn
04-24-2017 11:13 AM
The "Webclientandserver" I mention in my earlier post was from a guide for another product that uses both server and client authentication, so I figured that was an actual template that could be used.
According to the TechNet article Certificate Templates Overview, Workstation Authentication is used for client authentication.
04-24-2017 12:17 PM
Thanks Patrick. Will revert back once we've given this a go.
R
Glyn
03-30-2018 04:35 AM
managed to solve the problem?
Now we are faced with the same problem. As I understand, you need to authorize both the client and the server that the ClientandServerAuthentication template gives.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide