Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1132
Views
0
Helpful
6
Replies

CMS DB Clustering certificate question

g-kennett
Level 1
Level 1

‎04-21-2017 08:25 AM - edited ‎03-18-2019 01:02 PM

Hi All,

I'm hoping someone can help and point in the right direction here. 

I am building 3 CMS servers, and am attempting to cluster the database. I have issued the CSRs based on the Cisco/Acano documentation, but when I initialse the cluster, I am getting the below error

ERROR: Extended key usages of client certificate 'DBClusterClient.cer' does not specify Client Authentication (Expected 'clientAuth' found 'serverAuth')

In the Certificate Guidlines documentation, it says

If using“ExtendedKeyUsage”, ensure  “ClientAuthentication” is allowed for the database client.

Where is this configure/allowed. Is it an attribute you include in the CSR? Or is this done on the CA server?

Thanks in anticipation

Glyn

Labels:
0 Helpful
6 Replies 6

Patrick Sparkman
VIP Alumni
VIP Alumni

‎04-21-2017 02:53 PM

If you check the details of the certificate, under Enhanced Key Usage, you should see: Server Authentication and Client Authentication.

When you created the CSR what CertificateTemplate did you use?

To generate a CSR with Server Authentication and Client Authentication, you should use "Webclientandserver".  My guess is you used "WebServer", which is Server Authentication only.

0 Helpful

g-kennett
Level 1
Level 1
In response to Patrick Sparkman

‎04-21-2017 11:58 PM

Thanks for your response Patrick. This makes a lot of sense. The customer is signing the csr, so I will share this with them and come back to you with the results.

Thanks again.

Glyn

0 Helpful

g-kennett
Level 1
Level 1
In response to g-kennett

‎04-24-2017 09:38 AM

hi Patrick,

The customer doesn't have an option for, or official template called "Webclientandserver". Is this something they will need to create?

Or is it likely to be the one below?

Workstation Authentication

Enables client computers to authenticate their identity to servers.

Thanks

Glyn

0 Helpful

Patrick Sparkman
VIP Alumni
VIP Alumni
In response to g-kennett

‎04-24-2017 11:13 AM

The "Webclientandserver" I mention in my earlier post was from a guide for another product that uses both server and client authentication, so I figured that was an actual template that could be used.

According to the TechNet article Certificate Templates Overview, Workstation Authentication is used for client authentication.

0 Helpful

g-kennett
Level 1
Level 1
In response to Patrick Sparkman

‎04-24-2017 12:17 PM

Thanks Patrick. Will revert back once we've given this a go.


R

Glyn

0 Helpful

NIcolay Krechkin
Level 1
Level 1
In response to g-kennett

‎03-30-2018 04:35 AM

managed to solve the problem?
Now we are faced with the same problem. As I understand, you need to authorize both the client and the server that the ClientandServerAuthentication template gives.

0 Helpful
Customers Also Viewed These Support Documents