Failed to verify certificate: x509: certificate specifies an incompatible key usage

Ranjandas · February 11, 2024, 9:08am

If you look at the Extended Key Usage of your server certificate, you will see that it only has "TLS Web Server Authentication". Your certificate should have "TLS Web Server Authentication" and “TLS Web Client Authentication” in the Extended Key Usage.

       X509v3 Extended Key Usage: 
           TLS Web Server Authentication

Since every agent acts as a server and client, and when configured to do mTLS (using verify_incoming and verify_outgoing), server and client authentication constraints should be there or left empty.

You can compare this with a cert generated using the consul tls CLI.

X509v3 Extended Key Usage:
    TLS Web Server Authentication, TLS Web Client Authentication

I hope this helps!

Topic		Replies	Views
Tls: failed to verify client certificate: x509: certificate specifies an incompatible key usage Consul	3	8384	September 11, 2023
Consul Client join consul servers cluster \| certificate error Consul consul	2	657	August 2, 2022
Consul Certification Consul	8	1161	December 1, 2021
Consul: invalid certificate, certificate is not valid for server.dc1.consul.hello.com Consul	3	479	February 9, 2024
OIDCDiscoveryURL and https Consul connect , vault	0	374	January 28, 2023

Failed to verify certificate: x509: certificate specifies an incompatible key usage

Related topics