Easy-RSA Jabber SSL Certificate Problems

I’m currently setting up a new server and ran into something odd. Connecting to ejabberd with Pidgin, the later would reject the SSL certificate outright. At first I thought I had messed up the hostnames, or used an outdated Hash algorithm or whatever.

The errors I saw in the debug window were:

(22:17:42) nss: ERROR -8102: SEC_ERROR_INADEQUATE_KEY_USAGE
(22:17:42) nss: ERROR -8101: SEC_ERROR_INADEQUATE_CERT_TYPE

It turns out that SSL certificates can be flagged for what they can be used for, and I had simply created the certificate with the ./build-key command. Using ./build-key-server instead fixes the issue. The difference is that this will set nsCertType=server in the certificate.

I hope this helps anybody who runs into the same issue – it certainly had me pulling out my hair for a while.