Troubleshooting
Problem
CSPA311E - SSL certificate verification failed, reason=unsupported certificate purpose
Symptom
Session from a Connect:Direct for UNIX v3.8.00 node to Sterling Secure Proxy (SSP) v3.0 fails with CSPA311E - SSL certificate verification failed, reason=unsupported certificate purpose
Another session from a Connect:Direct Windows v4.2.00 to the same copy of SSP works perfectly, even though SSP is configured to use the same certificates for both transfers. This seems strange, because as a Pnode hits SSP for a session, it is SSP which passes its cert back to the pnode for verification against its trusted roots, thus it would seem logical that either both would work, or both would fail.
The certificates used by SSP were issued by the same CA as the trusted, and have valid dates, thus are accepted by the 'older' version of C:D Windows which uses the less stringent Certicom SSL toolkit to perform certificate validation, however since C:D UNIX switched to using the less relaxed OpenSSL toolkit at v3.8.00, this rejects the certificate since key is cut for an incorrect purpose (example: E-mail protection instead of SSL transfers).
Error Message
CSPA311E stext=SSL certificate verification failed, reason=unsupported certificate purpose|MSST=SSL certificate verification failed, reason=unsupported certificate purpose
Resolving The Problem
Check certificate purpose (under X509v3 Extended Key Usage), and if necessary, acquire a certificate which has been cut for the purposes of secure file transfer.
Historical Number
NFX2479
Was this topic helpful?
Document Information
Modified date:
17 December 2019
UID
swg21555993