Certificates have attributes, and those attribute are really important. For example, when the attribute ExtendedKeyUsages does not contain "serverAuth", then a client connecting to the server will throw a handshake exception without too much information about what is wrong. Here is an example of a real server certificate and how it should look like

#4: ObjectId: Criticality=false
ExtendedKeyUsages [

This means that you have to define the correct store type (-certtype node) when creating a certificate, e.g. when using neviskeybox, you can do this:

neviskeybox default certreq -slot default -label node -certtype user
neviskeybox default sign -ca NevisBoxCA -out /tmp/new_node_cert.pem -file /var/opt/neviskeybox/default/default/node_request.pem -certtype node -days 3600
neviskeybox default import -slot default  -file /tmp/new_node_cert.pem

and then make sure that the openssl.cnf file contains the correct entry [node_cert] for the type node:

Snippet of openssl.conf:

[ node_cert ]
nsComment = "Nevis KeyBox Generated Certificate using OpenSSL"
keyUsage = keyEncipherment, keyAgreement, digitalSignature
extendedKeyUsage = serverAuth, clientAuth
nsCertType = server, client