Comware

Hi everyone!

I have a problem with the ssl certificate on MSR 20-40 router.

We have CA server. Router receives CA cert and then creates it's own cert based on CA cert.

Router tells that everything ok, but when I'm trying to open the ssl vpn page on a router Mozilla tells me : "sec_error_inadequate_cert_type".

IE tells nothing, it just don't open this page.

And this is not strange, because i found in routers local certificate "certificate purpose" > IPSEC IKE intermediate.

I just don't have any ideas about how to fix this problem.

Please HELP!

Regards,

Aleksei

A device can't create its own cert based on a CA cert unless you were referencing generating a CSR, sending to the CA and then importing the CA's certificate.  I'm assuming this is what you did for the remainder of this post.

The purpose of the certificate is not adequate for use with SSL, that certificate purpose is to be used as an IKE intermediate.  The client device accessing is responsible for verifying both the validity of the certificate and the intended purpose of the certificate.  Depending on the browser client security settings it will or won't display certain types of errors as you've discovered.

It doesn't sound like you're having a name mismatch as in the Subject Name of the certificate matches up with the FQDN or IP address of the certificate you had issued.  You'd get a certificate warning in this case, but it should at least still work if you bypass the warning.  This appears to be that the certficate generated is just not enough to be used to provide SSL service.

The certficate you're using should have a purpose of Digital Signature, Key Encipherment and Server/Client Authentication.  If you're using a Windows based CA, the default web server template should provide these purposes for the certificate that is generated.