Certificates have attributes, and those attribute are really important. For example, when the attribute ExtendedKeyUsages does not contain "serverAuth", then a client connecting to the server will throw a handshake exception without too much information about what is wrong. Here is an example of a real server certificate and how it should look like
...
#4: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
...
This means that you have to define the correct store type (-certtype node) when creating a certificate, e.g. when using neviskeybox, you can do this:
neviskeybox default certreq -slot default -label node -certtype user
neviskeybox default sign -ca NevisBoxCA -out /tmp/new_node_cert.pem -file /var/opt/neviskeybox/default/default/node_request.pem -certtype node -days 3600
neviskeybox default import -slot default -file /tmp/new_node_cert.pem
and then make sure that the openssl.cnf file contains the correct entry [node_cert] for the type node:
Snippet of openssl.conf:
...
[ node_cert ]
basicConstraints=CA:FALSE
nsComment = "Nevis KeyBox Generated Certificate using OpenSSL"
keyUsage = keyEncipherment, keyAgreement, digitalSignature
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
nsCertType = server, client
...