We have client certificates set up and working for desktop browsers, but when using the same certificates that work on the desktop browser from an iPad, we get a "400: The SSL certificate error" in the browser, and the following in the log:

"18205#18205: *11 client SSL certificate verify error: (26:unsupported certificate purpose) while reading client request headers, client"


"openssl x509 -purpose" for the cert used to create the pkcs12 file is:

Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

Which appears to be the correct purpose, and it does work in regular browsers. We have a CA, and intermediate CA to sign the client certs and then the client cert itself.


The command used to create the pkcs file is:

openssl pkcs12 -export -out file.pk12 -inkey file.key -in file.crt -certfile ca.comb -nodes -passout pass:mypassword

Where ca.comb is the file specified in the ssl_client_certificate directive, which contains the public certificates for the CA, and the intermediary CA.

Since this works fine on desktop browsers, I'm not sure what to check. How can I figure out what is going wrong?