Client connection to Sterling External Authentication Server fails. Extended key usage does not permit use for TLS client authentication

Body

The auditlog.inc shows message below for a client connection like for example the stopSeas.sh (stopSeas.bat):

<msgID>ACPT042E</msgID>
<msgText>Failed to secure connection. Address=/nnn.nnn.nnn.nnn:pppp, Session=sssss : Extended key usage does not permit use for TLS client authentication</msgText>

Look at the following part of it:

Extended key usage does not permit use for TLS client authentication

This indicates that the client certificate has Extended Key Usage defined, which does NOT support client authentication. This error message indicates that the certificate is being for client authentication but the Extended Key Value indicates it can only be used for server authentication. Thus, you would go back to the CA to ask to get this fixed. SEAS always does client authentication and there is no way around it. You should get a certificate from your CA with both the server and client flags turned on.

In a Digital Certificate the "Extended key usage" further refines key usage extensions. An extended key is either critical or non-critical. If the extension is critical, the certificate must be used only for the indicated purpose or purposes. If the certificate is used for another purpose, it is in violation of the CA's policy.

For a certificate to be marked for use for Server Authentication only, the Extended Key Usage Field in the certificate must be configured with the Critical flag set to True and the Value set to 1.3.6.1.5.5.7.3.1. For Client Auth, it is set to 1.3.6.1.5.5.7.3.2

For reference:

    1.3.6.1.5.5.7.3.2 The certificate can be used for Client Authentication only

    1.3.6.1.5.5.7.3.1 The certificate can be used for Server Authentication only