Cam Reporter
	Description • 10 years ago

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0 (Beta/Release)
Build ID: 20140306171728

Steps to reproduce:

Loaded up previously working development webpage which is served with https, using a key/cert generated by a self signed CA which is in the trusted CA cert list.


Actual results:

Get SEC_ERROR_INADEQUATE_KEY_USAGE error.


Expected results:

No error.

	Cam Reporter
	Comment 1 • 10 years ago

This is the cert for the page itself.

	Camilo Viecco (:cviecco)
	Comment 2 • 10 years ago

We are now more strict on our validations. Your CA cert has and EKU but is NOT asserting  keyCertSign (it is asserting Digital Signature, Non Repudiation, Key Encipherment). Therefore when following http://tools.ietf.org/html/rfc5280#section-4.2.1.3 you will notice that:

"
If the keyUsage extension is present, then the subject public key
   MUST NOT be used to verify signatures on certificates or CRLs unless
   the corresponding keyCertSign or cRLSign bit is set.
"

dkeeler I think this shuld be closed as invalid.

	Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)
	Comment 3 • 10 years ago

Just to be clear, I think you typed "EKU" when you meant "KU", but yes, I agree.
(Cam - thanks for filing this bug. "INVALID" is a harsh way of saying "not a bug".)