Skip to main content
Kofax

Exception occurred cannot use certificate: certificate does not have required key usage

Summary 

This"FastPublish" solution is based on one case only and most likely doesn't cover all possible solution scenarios or error descriptions. This solution is provided as is and may contain limited technical imperfections and consequently may be revised at any time. If you have the same or similar error situation and the provided solution doesn't help in resolving your issue, or if you have further questions or possible additions, please contact your next level of support.  20031

Customer Situation

When using a previously successfuly working P12 certificate with the latest versions of the Kofax SignDoc product family an error appears when signing a signature field:

  • SignDoc SDK: SIGNDOC_DOCUMENT_RETURNCODE_INVALID_ARGUMENT Couldn't add the signature! cannot use certificate: certificate does not have required key usage
  • SignDoc Standard: GUI Error - The current signing session was modified concurrently in another browser or tab. / SignDoc Web log file error as below
  • SignDoc Web: java.lang.IllegalStateException: cannot use certificate: certificate does not have required key usage
  • SignDoc Desktop: SDVSignDocPlugin::addSignature signdoc error_code(16) addSignature(Cannot use PKCS#12 certificate (No usable certificate found))

Solution

The issues is related to the usage of a certificate that includes the key usage extension but does not carry the KeyUsage extension Bit (https://tools.ietf.org/html/rfc5280#section-4.2.1.3) digitalSignature OR nonRepudiation OR both.

To check whether your certificate carries one or the other KeyUsage you can use the Java based certificate tool Portecle (http://portecle.sourceforge.net/) (here an example with the SignDoc Web cert_store.p12 Demo Certificate carrying the "Digital signature" Extension Value):

Screen Shot 2018-08-09 at 9.56.11 AM.png

For a Certificate to be valid for Kofax SignDoc in general it has to either
omit the KeyUsage extension completely OR needs to carry the KeyUsage extension Bit (https://tools.ietf.org/html/rfc5280#section-4.2.1.3) digitalSignature OR nonRepudiation OR both.

Known issue in relation to the KeyUsage extension Bit:

The error text "cannot build certificate chain: invalid purpose" is caused by another issue related to the dissimilar usage of the ExtendedKeyUsage extension in addition to the KeyUsage extension.
According to RFC 3280 (X.509) (https://www.ietf.org/rfc/rfc3280.txt) both extensions (KeyUsage and ExtendedKeyUsage) must have the same usage.

This issue can be resolved by one of the below two options:

  1. Have the correct coresponding usage, i.e. "digitalSignature" or "nonRepudation" or both in the ExtendedKeyUsage extension
  2. Remove the ExtendedKeyUsage extension completely if it is not required

In addition to the above the key length of the RSA keys must be a multiple of 8 bits and between 1024 bits and 4096 bits (inclusive).
Keys for ECDSA (https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) must use one of these curves: prime192v1, prime256v1, secp224r1, secp384r1, secp521r1.

Create valid certificate without KeyUsage Extension

To produce a self-signed certificate without the KeyUsage extension the Java based certificate tool Portecle (http://portecle.sourceforge.net/) can be used (not to be used for production):

File -> New Keystore (Ctrl + N) / Type of new Keystore: PKCS #12
Tools -> Generate Key Pair... (Ctrl + G) / Key Algorithm: RSA, Key Size: 2048 / CN: Demo User, OU: ESign, O: Kofax, L:Irvine, ST: California, E=demo.user@kofax.com (rest as per default) / Alias: Demo
File -> Save Keystore (Ctrl + S) -> Enter preferred password -> Choose location and enter name: cert_store.p12

Screen Shot 2018-08-09 at 10.02.46 AM.png

Create valid certificate with digitalSignature KeyUsage Extension

To produce a valid self-signed certificate with the digitalSignature KeyUsage Extension the Java Key Tool can be leveraged (not to be used for production):

From the Java bin folder (e.g. C:\Program Files\Java\jre1.8.0_131\bin) execute the below command (adapt file path, password and other parameters accordingly):

keytool -genkey -alias DEMO -keyalg RSA -ext KU=digitalSignature -storetype pkcs12 -keystore
c:\users\Administrator\Desktop\cert_store.p12 -dname "CN=Demo User, OU=ESign, O=Kofax, L=Irvine, S=California,
C=US" -storepass password -keypass password

Applies to

  • Kofax SignDoc SDK 4.2.0.11
  • Kofax SignDoc Standard 1.3.1.0.0.4144
  • Kofax SignDoc Web 5.2.1-1330
  • Kofax SignDoc Desktop 3.4.7.1.1.003

Keywords: Certificate, Key Usage, P12, SDWeb, SignDoc Web, SignDoc SDK, SignDoc Desktop, SignDoc Standard