EAP-TLS auth test fails with "unsupported certificate purpose"

Aruba Employee
Aruba Employee

The authentication test from RADIUS -> Authentication -> Authentication Servers -> Local Certificate Authority -> Test Authentication. The debug output shows:


SSL: SSL_connectSmiley FrustratedSLv3 read server hello A
TLS: Certificate verification failed, error 26 (unsupported certificate purpose) depth 1 for '/C=US/ST=California/L=Sunnyvale/O=Aruba Networks/OU=ACE/CN=Milano Lab Amigopod Local Root CA (Signing)/emailAddress=milano.amigpod.rootca@arubanetworks.com'
SSL: (where=0x4008 ret=0x22b)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unsupported certificate
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server certificate B
OpenSSL: tls_connection_handshake - SSL_connect error:14090086Smiley FrustratedSL routinesSmiley FrustratedSL3_GET_SERVER_CERTIFICATE:certificate verify failed
SSL: 7 bytes pending from ssl_out
SSL: Failed - tls_out available to report error
SSL: 7 bytes left to be sent out (of total 7 bytes)
EAP-TLS: TLS processing failed
EAP: method process -> ignore=FALSE methodState=DONE decision=FAIL


When exporting the client certificate, choose PKCS#12 Format but unselect the box for Trust Chain - Include certificate trust chain. This will prevent the test authentication from presenting the CA certificate(s) to the RADIUS server which would lead to the "unsupported certificate purpose" message.

Note that this is not required for a real client. This is only necessary when testing internally on Amigopod through the test tool. A real client can be installed with the full trust chain but will only present the client certificate during authentication.

Version history
Revision #:
2 of 2
Last update:
‎06-29-2014 10:14 AM
Updated by:
Labels (1)