For some specific and rare use cases, such as using a service certificate (i.e. a certificate from the Local Certificates list) for user authentication, the certificate should possess specific properties, defining its purpose. More precisely, as the certificate will be used on a protocol service (FTP for example), it should contain the purpose for "Server". On the other hand, if this same certificate is used by a user for authentication, it should also contain the purpose for "Client".

This article provides information how to check what are the set purpose properties of a certificate.

Resolution

The file, which holds a certificate from the Local Certificates page of the Admin UI, is located in the $FILEDRIVEHOME/lib/certs directory. To list the properties of one such certificate, run the below command:

openssl x509 -in $FILEDRIVEHOME/lib/certs/certname-crt.pem -purpose

NOTES:

• The $FILEDRIVEHOME placeholder must be replaced with the full system path to SecureTransport's installation directory
• The certname-crt.pem is the public key of the certificate, and 'certname' is actually the alias of the certificate as it appears in the Local Certificates page.
• The command assumes that OpenSSL is available on the server

The output of the command should be something like this:

Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes

Note how both SSL Client and SSL Server say Yes, so this certificate can be used for both user authentication and installed on a protocol service in ST.