The relevant usage information of the client cert are:
| | subjectPublicKeyInfo
| | | algorithm (rsaEncryption)
| | | | Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
| | | Padding: 0
| | | subjectPublicKey: ...
| | extensions: 4 items
| | | Extension (id-ce-cRLDistributionPoints)
| | | | Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints)
| | | | CRLDistPointsSyntax: 1 item
| | | Extension (id-ce-basicConstraints)
| | | | Extension Id: 2.5.29.19 (id-ce-basicConstraints)
| | | | BasicConstraintsSyntax [0 length]
| | | Extension (id-ce-keyUsage)
| | | | Extension Id: 2.5.29.15 (id-ce-keyUsage)
| | | | Padding: 5
| | | | KeyUsage: e0 (digitalSignature, contentCommitment, keyEncipherment)
| | | | | 1... .... = digitalSignature: True
| | | | | .1.. .... = contentCommitment: True
| | | | | ..1. .... = keyEncipherment: True
| | | | | ...0 .... = dataEncipherment: False
| | | | | .... 0... = keyAgreement: False
| | | | | .... .0.. = keyCertSign: False
| | | | | .... ..0. = cRLSign: False
| | | | | .... ...0 = encipherOnly: False
| | | | | 0... .... = decipherOnly: False
| | | Extension (id-ce-extKeyUsage)
| | | | Extension Id: 2.5.29.37 (id-ce-extKeyUsage)
| | | | KeyPurposeIDs: 1 item
| | | | | KeyPurposeId: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth)
| algorithmIdentifier (shaWithRSAEncryption)
I've also tested a key from startssl. Here it seems to work to submit the key. The relevant parts are
| | | | | | subjectPublicKeyInfo
| | | | | | | algorithm (rsaEncryption)
| | | | | | | | Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
| | | | | | | Padding: 0
| | | | | | | subjectPublicKey: ...
| | | | | | extensions: 10 items
| | | | | | | Extension (id-ce-basicConstraints)
| | | | | | | | Extension Id: 2.5.29.19 (id-ce-basicConstraints)
| | | | | | | | BasicConstraintsSyntax [0 length]
| | | | | | | Extension (id-ce-keyUsage)
| | | | | | | | Extension Id: 2.5.29.15 (id-ce-keyUsage)
| | | | | | | | Padding: 4
| | | | | | | | KeyUsage: b0 (digitalSignature, keyEncipherment, dataEncipherment)
| | | | | | | | | 1... .... = digitalSignature: True
| | | | | | | | | .0.. .... = contentCommitment: False
| | | | | | | | | ..1. .... = keyEncipherment: True
| | | | | | | | | ...1 .... = dataEncipherment: True
| | | | | | | | | .... 0... = keyAgreement: False
| | | | | | | | | .... .0.. = keyCertSign: False
| | | | | | | | | .... ..0. = cRLSign: False
| | | | | | | | | .... ...0 = encipherOnly: False
| | | | | | | | | 0... .... = decipherOnly: False
| | | | | | | Extension (id-ce-extKeyUsage)
| | | | | | | | Extension Id: 2.5.29.37 (id-ce-extKeyUsage)
| | | | | | | | KeyPurposeIDs: 2 items
| | | | | | | | | KeyPurposeId: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth)
| | | | | | | | | KeyPurposeId: 1.3.6.1.5.5.7.3.4 (id-kp-emailProtection)
| | | | | | | Extension (id-ce-subjectKeyIdentifier)
| | | | | | | | Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier)
| | | | | | | | SubjectKeyIdentifier: bb5a39bb699ba8db7a1732e4c31342d2eb43ec0b
| | | | | | | Extension (id-ce-authorityKeyIdentifier)
| | | | | | | | Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier)
| | | | | | | | AuthorityKeyIdentifier
| | | | | | | Extension (id-ce-subjectAltName)
| | | | | | | | Extension Id: 2.5.29.17 (id-ce-subjectAltName)
| | | | | | | | GeneralNames: 1 item
| | | | | | | Extension (id-ce-certificatePolicies)
| | | | | | | | Extension Id: 2.5.29.32 (id-ce-certificatePolicies)
| | | | | | | | CertificatePoliciesSyntax: 1 item
| | | | | | | Extension (id-ce-cRLDistributionPoints)
| | | | | | | | Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints)
| | | | | | | | CRLDistPointsSyntax: 1 item
| | | | | | | Extension (id-pe-authorityInfoAccessSyntax)
| | | | | | | | Extension Id: 1.3.6.1.5.5.7.1.1 (id-pe-authorityInfoAccessSyntax)
| | | | | | | | AuthorityInfoAccessSyntax: 2 items
| | | | | | | Extension (id-ce-issuerAltName)
| | | | | | | | Extension Id: 2.5.29.18 (id-ce-issuerAltName)
| | | | | | | | GeneralNames: 1 item
| | | | | algorithmIdentifier (sha256WithRSAEncryption)
| | | | | | Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
| | | | | Padding: 0
What comes to my eyes are that startssl disables
contentCommitment and enables
dataEncipherment. They also have extra purposes:
id-kp-emailProtection
But these should not be relevant for client certificates when using HTTPS.