Browser: Connection "not secure" (ManagementCA.pem)

[schefa11]

Hi,

I successfully issued client certificates for a webserver (nginx) to a raspberry via SCEP.
I imported the ManagementCA.pem to my Firefox Browser and the Chrome Browser, but they still show a warning.

The common name of the client certificate is the IP-address of the raspberry.

Chrome: NET::ERR_CERT_COMMON_NAME_INVALID

(My certificates are only valid for 30min for testing, but I don't think that is the issue)

Firefox: SEC_ERROR_INADEQUATE_CERT_TYPE
On Firefox I cannot even access the webserver, until I delete the certificate from the browser.

Recommendations are welcome. Thanks in advance.

[primetomas]

The browser error actually tells it. The server IP (or DNSName) should go into a Subject Alternative Name, not in the Common Name. The usage of common name for the sever adress was deprecated a long time ago. In EJBCA add alternative names (IP and/or dns) in the end entity profile and issue certs with the IP in the alternative name.

[schefa11]

Thanks for the fast response.

I now get the message "NET::ERR_CERT_INVALID".

But maybe I have a misconception?!
As mentioned before I created certificates based on the TLS Client Profile. But since the certificates are meant as webserver certificates for the nginx it probably needs to be based on the TLS Server Profile?

[primetomas]

Correct, for servers there are specific extension values needed, you need to use a server profile.

[schefa11]

Thank you very much. Now it is working as intended
...again :)