SAP Knowledge Base Article - Preview

1862321 - Peer certificate rejected by ChainVerifier - Extension error: keyusage does not allow certificate signing

Symptom

  • An outgoing SSL connection from the Netweaver Application Server Java fails.
  • When the issue is reproduced with tracing activated as documented in KBA 2673775 - Use /tshw to collect IAIK debug trace for outgoing calls in AS Java, the following traces can be found:

Extension error: keyusage does not allow certificate signing
Exiting method
ssl_debug(n): Sending alert: Alert Fatal: bad certificate
ssl_debug(n): Shutting down SSL layer...
ssl_debug(n): SSLException while handshaking: Peer certificate rejected by ChainVerifier
ssl_debug(n): Closing transport...

Note: The error 'Peer certificate rejected by ChainVerifier' is written whenever there is a failure to verify the certificate or certificate chain sent by the server to which the outbound SSL connection attempt is made, and can occur for many different reasons. This document is only written for the very specific case where when the issue is reproduced with tracing activated, 'Extension error: keyusage does not allow certificate signing' can be found.


Read more...

Environment

SAP NetWeaver Application Server Java all versions

Product

SAP NetWeaver Application Server for Java all versions

Keywords

iaik, ssl, debug, Peer certificate rejected by ChainVerifier, Handshaking, , KBA , BC-JAS-SEC-CPG , Cryptography , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.