Layer7 API Management

  • Private Community

  • 1.  Certificate Key Usage or Extended Key Usage Disallowed

    Posted Aug 29, 2016 08:28 AM

    Hi,

     

     We are getting below error while verifying a signature using certificate given by counter party:

    Certificate key usage or extended key usage disallowed by key usage enforcement policy for activity

     

    Key Usage of Certificate : Digital Signature, Non-Repudiation (c0)

    Enhanced Key Usage of Certifiacte : Secure Email (1.3.6.1.5.5.7.3.4)
    Document Signing (1.3.6.1.4.1.311.10.3.12)
    Unknown Key Usage (1.2.840.113583.1.1.5)

     

    Is there any specific list of key usage, which will be allowed for verification? If yes, is there any way to override that. Please help.

     

    Thanks,

    Siddharth 



  • 2.  Re: Certificate Key Usage or Extended Key Usage Disallowed
    Best Answer

    Broadcom Employee
    Posted Aug 29, 2016 03:08 PM

    Siddharth,

     

    The error indicates that the certificate includes further attributes that the Gateway can't handle by default. These attributes are inserted for a specific purpose. In order to handle such attributes, there are two options:

    Option 1: You can ignore key usage enforcement by setting the following cluster property:
    pkix.keyUsage = IGNORE
    ***Note: This will require a Gateway restart to go into affect***
    Details about this cluster-wide property can be found here:
    https://docops.ca.com/ca-api-gateway/8-4/en/cluster-properties/certificate-validation-cluster-properties

    Option 2: You can implement your own key usage enforcement policy based on the information here:
    https://docops.ca.com/ca-api-gateway/8-3/en/publish-services-and-configure-policies/working-with-policies/key-usage-enforcement-policy

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support