Exception occurred cannot use certificate: certificate does not have required key usage
Issue
When using a previously successfuly working P12 certificate with the latest versions of the Kofax SignDoc product family an error appears when signing a signature field:
- SignDoc SDK: SIGNDOC_DOCUMENT_RETURNCODE_INVALID_ARGUMENT Couldn't add the signature! cannot use certificate: certificate does not have required key usage
- SignDoc Standard: GUI Error - The current signing session was modified concurrently in another browser or tab. / SignDoc Web log file error as below
- SignDoc Web: java.lang.IllegalStateException: cannot use certificate: certificate does not have required key usage
- SignDoc Desktop: SDVSignDocPlugin::addSignature signdoc error_code(16) addSignature(Cannot use PKCS#12 certificate (No usable certificate found))
Solution
The issues is related to the usage of a certificate that includes the key usage extension but does not carry the KeyUsage extension Bit (https://tools.ietf.org/html/rfc5280#section-4.2.1.3) digitalSignature OR nonRepudiation OR both.
To check whether your certificate carries one or the other KeyUsage you can use the Java based certificate tool Portecle (http://portecle.sourceforge.net/) (here an example with the SignDoc Web cert_store.p12 Demo Certificate carrying the "Digital signature" Extension Value):
For a Certificate to be valid for Kofax SignDoc in general it has to either
omit the KeyUsage extension completely OR needs to carry the KeyUsage extension Bit (https://tools.ietf.org/html/rfc5280#section-4.2.1.3) digitalSignature OR nonRepudiation OR both.
Known issue in relation to the KeyUsage extension Bit:
The error text "cannot build certificate chain: invalid purpose" is caused by another issue related to the dissimilar usage of the ExtendedKeyUsage extension in addition to the KeyUsage extension.
According to RFC 3280 (X.509) (https://www.ietf.org/rfc/rfc3280.txt) both extensions (KeyUsage and ExtendedKeyUsage) must have the same usage.
This issue can be resolved by one of the below two options:
- Have the correct coresponding usage, i.e. "digitalSignature" or "nonRepudation" or both in the ExtendedKeyUsage extension
- Remove the ExtendedKeyUsage extension completely if it is not required
In addition to the above the key length of the RSA keys must be a multiple of 8 bits and between 1024 bits and 4096 bits (inclusive).
Keys for ECDSA (https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) must use one of these curves: prime192v1, prime256v1, secp224r1, secp384r1, secp521r1.
Create valid certificate without KeyUsage Extension
To produce a self-signed certificate without the KeyUsage extension the Java based certificate tool Portecle (http://portecle.sourceforge.net/) can be used (not to be used for production):
File -> New Keystore (Ctrl + N) / Type of new Keystore: PKCS #12 Tools -> Generate Key Pair... (Ctrl + G) / Key Algorithm: RSA, Key Size: 2048 / CN: Demo User, OU: ESign, O: Kofax, L:Irvine, ST: California, E=demo.user@kofax.com (rest as per default) / Alias: Demo File -> Save Keystore (Ctrl + S) -> Enter preferred password -> Choose location and enter name: cert_store.p12
Create valid certificate with digitalSignature KeyUsage Extension
To produce a valid self-signed certificate with the digitalSignature KeyUsage Extension the Java Key Tool can be leveraged (not to be used for production):
From the Java bin folder (e.g. C:\Program Files\Java\jre1.8.0_131\bin) execute the below command (adapt file path, password and other parameters accordingly):
keytool -genkey -alias DEMO -keyalg RSA -ext KU=digitalSignature -storetype pkcs12 -keystore c:\users\Administrator\Desktop\cert_store.p12 -dname "CN=Demo User, OU=ESign, O=Kofax, L=Irvine, S=California, C=US" -storepass password -keypass password
Level of Complexity
Moderate
Applies to
| Product | Version | Build | Environment | Hardware |
|---|---|---|---|---|
|
Kofax Signdoc SDK Kofax Signdoc Web Kofax Signdoc Desktop |
4.2.0.11 5.2.1 3.4.7.1.1.003 |