cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1298
Views
0
Helpful
6
Replies

CMS DB Clustering certificate question

g-kennett
Level 1
Level 1

Hi All,

I'm hoping someone can help and point in the right direction here. 

I am building 3 CMS servers, and am attempting to cluster the database. I have issued the CSRs based on the Cisco/Acano documentation, but when I initialse the cluster, I am getting the below error

ERROR: Extended key usages of client certificate 'DBClusterClient.cer' does not specify Client Authentication (Expected 'clientAuth' found 'serverAuth')

In the Certificate Guidlines documentation, it says

If using“ExtendedKeyUsage”, ensure  “ClientAuthentication” is allowed for the database client.

Where is this configure/allowed. Is it an attribute you include in the CSR? Or is this done on the CA server?

Thanks in anticipation

Glyn

6 Replies 6

Patrick Sparkman
VIP Alumni
VIP Alumni

If you check the details of the certificate, under Enhanced Key Usage, you should see: Server Authentication and Client Authentication.

When you created the CSR what CertificateTemplate did you use?

To generate a CSR with Server Authentication and Client Authentication, you should use "Webclientandserver".  My guess is you used "WebServer", which is Server Authentication only.

Thanks for your response Patrick. This makes a lot of sense. The customer is signing the csr, so I will share this with them and come back to you with the results.

Thanks again.

Glyn

hi Patrick,

The customer doesn't have an option for, or official template called "Webclientandserver". Is this something they will need to create?

Or is it likely to be the one below?

Workstation Authentication

Enables client computers to authenticate their identity to servers.

Thanks

Glyn

The "Webclientandserver" I mention in my earlier post was from a guide for another product that uses both server and client authentication, so I figured that was an actual template that could be used.

According to the TechNet article Certificate Templates Overview, Workstation Authentication is used for client authentication.

Thanks Patrick. Will revert back once we've given this a go.


R

Glyn

managed to solve the problem?
Now we are faced with the same problem. As I understand, you need to authorize both the client and the server that the ClientandServerAuthentication template gives.