CSPA311E - SSL certificate verification failed, reason=unsupported certificate purpose

Symptom

Session from a Connect:Direct for UNIX v3.8.00 node to Sterling Secure Proxy (SSP) v3.0 fails with CSPA311E - SSL certificate verification failed, reason=unsupported certificate purpose

Another session from a Connect:Direct Windows v4.2.00 to the same copy of SSP works perfectly, even though SSP is configured to use the same certificates for both transfers. This seems strange, because as a Pnode hits SSP for a session, it is SSP which passes its cert back to the pnode for verification against its trusted roots, thus it would seem logical that either both would work, or both would fail.

The certificates used by SSP were issued by the same CA as the trusted, and have valid dates, thus are accepted by the 'older' version of C:D Windows which uses the less stringent Certicom SSL toolkit to perform certificate validation, however since C:D UNIX switched to using the less relaxed OpenSSL toolkit at v3.8.00, this rejects the certificate since key is cut for an incorrect purpose (example: E-mail protection instead of SSL transfers).

Error Message
CSPA311E stext=SSL certificate verification failed, reason=unsupported certificate purpose|MSST=SSL certificate verification failed, reason=unsupported certificate purpose