-
Title
TSA (Time Stamping Authority) Certificate Rejected By SSB -
Description
When uploading a generated TSA (Time Stamping Authority) certificate, the certificate fails to upload with the following error:
"Missing extendedKeyUsage field values" -
Cause
There are many causes of this issue including, but not limited to:
- extendedKeyUsage values were not added to the certificate.cnf prior to the certificate signing request being created.
- The TSA template was not used within Windows when signing the certificate.csr
- When signing using OpenSSL, additional information required was not present in the certificate.cnf -
Resolution
tsa_ext and extendedKeyUsage Values Not Set
The first thing to check is to ensure that the tsa_ext section of the certificate configuration file, including the extendedKeyUsage field values, are set correctly within the certificate configuration file (certificate.cnf):
[ tsa_ext ] extendedKeyUsage = critical,timeStampingSigning Using Windows
When using Windows Server to sign the certificate signing request (certificate.csr) the correct template is not used during the signing.
Please use the TSA Certificate Template when signing the certificate request, the following command can be used on the Windows Server to sign the certificate correctly:certreq -submit -attrib "CertificateTemplate:TSA" "C:\Path\To\Timestamp.csr"
Signing using OpenSSLWhen signing using OpenSSL, please ensure the following command is used to the TSA extension is added to the certificate:
openssl ca -config /path/to/certificate.cnf -in /path/to/certificate.csr -out tsa.crt -extensions tsa_ext -days 365