What changed since my last post on certificates

Since my last post almost two years ago I updated my homeserver significantly with new hardware. With this new hardware I am able to run a lot more services and thus grew the wish to access them by their own DNS name. With the wildcard certificate it was no problem to securely access them from any browser.

Things changed when I started integrating these into the Jenkins pipelines. I got the following error message:

hudson.remoting.ProxyException: sun.security.validator.ValidatorException: KeyUsage does not allow digital signatures at sun.security.validator.EndEntityChecker.checkTLSServer(EndEntityChecker.java:278) at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:144) at sun.security.validator.Validator.validate(Validator.java:274) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) Caused: hudson.remoting.ProxyException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: KeyUsage does not allow digital signatures at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

So my so dearly crafted certificates were not good enough for java… After some fiddeling around with my configuration the following section resolved this issue:

`[ v3_ca ]

Extensions for a typical CA (man x509v3_config).

subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign`

After creating a new CA certificate and signing new wildcard certificates all seemed to be in order. Java was content with the new certificates. Just when I was verifying the proper working of my new server certificate with all my browser I was struck by the error message in