I'm using SCEP to create Certificates for my webservice. After successful certificate creation and server startup i try to access the wsdl via browser, which displays an error message that says, that the certificate type is not allowed for this application, error code: sec_error_inadequate_cer_type. A fellow colleague pointed out that i have to change the key usage in the extended key attributes to "server authentication" and that it should be done in the certification request.
To create a new request I am using bouncycastle. See the code snippet below:
PKCS10CertificationRequestBuilder builder = new PKCS10CertificationRequestBuilder(subject, pkInfo);
builder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, new DERPrintableString(challengePassword));
return builder.build(signer);
The problem is now that I found no documentation on how to add something like this to the request. The only thing i figured out is that most likely I must add an other Attribute to the builder with the object identifier "PKCSObjectIdentifiers.pkcs_9_at_extendedCertificateAttributes":
builder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extendedCertificateAttributes, ??? );
But what should be passed to the addAttribute-Method of the builder so that the requested certificate will have the extended certificate attribute set to "server authentication"?
I did some research but i did not find any documentation or examples that provided me with some useful answers.
Some Info: I'm using JSCEP, and bouncycastle 1.48
I hope someone can point me to the solution. Thanks in advance.
The Extended Certificate attribute is deprecated but there is another PKCS#9 attribute called Extension request which can contains some extension the caller wants to be included in the certificate.
The extensionRequest attribute type may be used to carry information about certificate extensions the requester wishes to be included in a certificate.
Of course the Certification Authority must support this attribute and can ignore it depending on its certification policy.
To include this attribute in your CSR you can use this code (not tested):
KeyUsage ku = new KeyUsage(KeyUsage.digitalSignature);
Extension kuExt = new Extension(Extension.keyUsage, true, ku.getEncoded());
ExtendedKeyUsage eku = new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth);
Extension ekuExt = new Extension(Extension.extendedKeyUsage, true, eku.getEncoded());
Extensions exts = new Extensions(new Extension[] {kuExt, ekuExt});
builder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, exts);