Certificates have attributes, and those attribute are really important. For example, when the attribute ExtendedKeyUsages does not contain "serverAuth", then a client connecting to the server will throw a handshake exception without too much information about what is wrong. Here is an example of a real server certificate and how it should look like

...
#4: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]
...

This means that you have to define the correct store type (-certtype node) when creating a certificate, e.g. when using neviskeybox, you can do this:

neviskeybox default certreq -slot default -label node -certtype user
neviskeybox default sign -ca NevisBoxCA -out /tmp/new_node_cert.pem -file /var/opt/neviskeybox/default/default/node_request.pem -certtype node -days 3600
neviskeybox default import -slot default  -file /tmp/new_node_cert.pem

and then make sure that the openssl.cnf file contains the correct entry [node_cert] for the type node:


Snippet of openssl.conf:

...
[ node_cert ]
basicConstraints=CA:FALSE
nsComment = "Nevis KeyBox Generated Certificate using OpenSSL"
keyUsage = keyEncipherment, keyAgreement, digitalSignature
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
nsCertType = server, client
...