Help Center/ Virtual Private Network/ Troubleshooting/ Client Connection Failures/ The Client Log Contains "Certificate does not have key usage extension"
Updated on 2025-05-14 GMT+08:00
View PDF
Share

The Client Log Contains "Certificate does not have key usage extension"

Applicable Client

Windows OpenVPN GUI

Symptom

A client cannot connect to a P2C VPN gateway, and the log contains the following error information:

Certificate does not have key usage extension

Possible Causes

The server certificate used by the VPN gateway does not contain the Server Authentication attribute. As a result, certificate verification fails.

Procedure

  1. Right-click the target server certificate, and choose Properties from the shortcut menu.
  2. Click the Details tab, and check whether the certificate contains the Server Authentication attribute, as shown in Figure 1.
    Figure 1 Server certificate

    If the certificate does not contain the Server Authentication attribute, re-generate a server certificate. For details, see Using Easy-RSA to Issue Certificates (Server and Client Sharing a CA Certificate).

    A server certificate generated using OpenSSL does not contain the Server Authentication attribute. As such, you need to add extendedKeyUsage = serverAuth to the OpenSSL configuration file. The following is an example:

    ...
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
...
  3. Log in to the management console.
  4. Click in the upper left corner and select the desired region and project.
  5. Click in the upper left corner, and choose Networking > Virtual Private Network.
  6. In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Gateways.
  7. Click the P2C VPN Gateways tab. In the P2C VPN gateway list, locate the target P2C VPN gateway, and click View Server in the Operation column.
  8. On the Server tab page of the VPN gateway, click Replace.
  9. In the displayed dialog box, click Upload in the drop-down list box.

    Upload the new server certificate to CCM. For details, see Uploading a Server Certificate.

  10. Download the new client configuration file.

    The downloaded client configuration file is client_config.zip.

  11. Decompress client_config.zip to a specified directory, for example, D:\.

    After the decompression, the client_config.ovpn and client_config.conf files are generated.

  12. Add the client certificate and private key to the file.
    1. Open the client_config.ovpn file using Notepad or Notepad++.
    2. Enter the client certificate content and the corresponding private key in between <cert></cert> and <key></key> tags, respectively. 
      <cert>
-----BEGIN CERTIFICATE-----
Client certificate content
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
Client private key
-----END PRIVATE KEY-----
</key>
    3. Save the .ovpn configuration file.
  13. Start the OpenVPN client.
  14. Import the new client configuration file.
  15. Use the client to reconnect to the VPN gateway.
  16. Press Win+R and enter cmd to open the command window.

  17. XX.XX.XX.XX indicates the private IP address of the ECS to be connected. Replace it with the actual private IP address.

    If information similar to the following is displayed, the client can communicate with the ECS:

    64 bytes from XX.XX.XX.XX: icmp_seq=1 ttl=63 time=1.27 ms
64 bytes from XX.XX.XX.XX: icmp_seq=2 ttl=63 time=1.36 ms
64 bytes from XX.XX.XX.XX: icmp_seq=3 ttl=63 time=1.40 ms
64 bytes from XX.XX.XX.XX: icmp_seq=4 ttl=63 time=1.29 ms
64 bytes from XX.XX.XX.XX: icmp_seq=5 ttl=63 time=1.35 ms
64 bytes from XX.XX.XX.XX: icmp_seq=6 ttl=63 time=1.52 ms

If the problem persists, submit a service ticket to contact Huawei technical support.