Skip to main content

Exception occurred cannot use certificate: certificate does not have required key usage

Article # 3036495 - Page views: 221


When using a previously successfuly working P12 certificate with the latest versions of the Kofax SignDoc product family an error appears when signing a signature field:

  • SignDoc SDK: SIGNDOC_DOCUMENT_RETURNCODE_INVALID_ARGUMENT Couldn't add the signature! cannot use certificate: certificate does not have required key usage
  • SignDoc Standard: GUI Error - The current signing session was modified concurrently in another browser or tab. SignDoc Web log file error as below
  • SignDoc Web: java.lang.IllegalStateException: cannot use certificate: certificate does not have required key usage
  • SignDoc Desktop: SDVSignDocPlugin::addSignature signdoc error_code(16) addSignature(Cannot use PKCS#12 certificate (No usable certificate found))



The issues is related to the usage of a certificate that includes the key usage extension but does not carry the KeyUsage extension Bit ( digitalSignature OR nonRepudiation OR both.

To check whether your certificate carries one or the other KeyUsage you can use the Java based certificate tool Portecle ( (here an example with the SignDoc Web cert_store.p12 Demo Certificate carrying the "Digital signature" Extension Value):

20031 Screen Shot 2018-08-09 at 9.56.11 AM.png

For a Certificate to be valid for Kofax SignDoc in general it has to either
omit the KeyUsage extension completely OR needs to carry the KeyUsage extension Bit ( digitalSignature OR nonRepudiation OR both.

Known issue in relation to the KeyUsage extension Bit:

The error text "cannot build certificate chain: invalid purpose" is caused by another issue related to the dissimilar usage of the ExtendedKeyUsage extension in addition to the KeyUsage extension.
According to RFC 3280 (X.509) ( both extensions (KeyUsage and ExtendedKeyUsage) must have the same usage.

This issue can be resolved by one of the below two options:

  1. Have the correct coresponding usage, i.e. "digitalSignature" or "nonRepudation" or both in the ExtendedKeyUsage extension
  2. Remove the ExtendedKeyUsage extension completely if it is not required

In addition to the above the key length of the RSA keys must be a multiple of 8 bits and between 1024 bits and 4096 bits (inclusive).
Keys for ECDSA ( must use one of these curves: prime192v1, prime256v1, secp224r1, secp384r1, secp521r1.

Create valid certificate without KeyUsage Extension

To produce a self-signed certificate without the KeyUsage extension the Java based certificate tool Portecle ( can be used (not to be used for production):

File -> New Keystore (Ctrl + N) / Type of new Keystore: PKCS #12
Tools -> Generate Key Pair... (Ctrl + G) / Key Algorithm: RSA, Key Size: 2048 / CN: Demo User, OU: ESign, O: Kofax, L:Irvine, ST: California, (rest as per default) / Alias: Demo
File -> Save Keystore (Ctrl + S) -> Enter preferred password -> Choose location and enter name: cert_store.p12

20031 Screen Shot 2018-08-09 at 10.02.46 AM.png

Create valid certificate with digitalSignature KeyUsage Extension

To produce a valid self-signed certificate with the digitalSignature KeyUsage Extension the Java Key Tool can be leveraged (not to be used for production):

From the Java bin folder (e.g. C:\Program Files\Java\jre1.8.0_131\bin) execute the below command (adapt file path, password and other parameters accordingly):

keytool -genkey -alias DEMO -keyalg RSA -ext KU=digitalSignature -storetype pkcs12 -keystore c:\users\Administrator\Desktop\cert_store.p12 -dname "CN=Demo User, OU=ESign, O=Kofax, L=Irvine, S=California, C=US" -storepass password -keypass password


Level of Complexity 


Applies to  

Product Version Build Environment Hardware

Kofax Signdoc SDK

Kofax Signdoc Web

Kofax Signdoc Desktop





  • Was this article helpful?