External X.509 Certificates generated by AAF CertService Incomplete Cannot be used for Mutual TLC Connection between SDNC-ODL and XNF, Node not gettgin connected over TLS Protocol.

X509 Extensions are incomplete : TLS Web Server Authentication Missing under  X509v3 Extended Key Usage.

Some details can be found here : https://sourceforge.net/p/ejbca/discussion/123122/thread/b354d9db7a/

Certificate Snippet :

X509v3 extensions:
        X509v3 Extended Key Usage:
              TLS Web Client Authentication, E-mail Protection

Exception:

ODL Karaf Logs attached.

Exception While Executin E2E Testcase in Karaf Logs:

 2020-04-13T20:55:27,172 | INFO  | nioEventLoopGroupCloseable-3-12 | AbstractNetconfSessionNegotiator | 352 - org.opendaylight.netconf.netty-util - 1.6.1 |  -  | Unexpected error during negotiation2020-04-13T20:55:27,172 | INFO  | nioEventLoopGroupCloseable-3-12 | AbstractNetconfSessionNegotiator | 352 - org.opendaylight.netconf.netty-util - 1.6.1 |  -  | Unexpected error during negotiationio.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472) ~[61:io.netty.codec:4.1.34.Final] at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278) ~[61:io.netty.codec:4.1.34.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [66:io.netty.transport:4.1.34.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:345) [66:io.netty.transport:4.1.34.Final] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:337) [66:io.netty.transport:4.1.34.Final] at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408) [66:io.netty.transport:4.1.34.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [66:io.netty.transport:4.1.34.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:345) [66:io.netty.transport:4.1.34.Final] at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930) [66:io.netty.transport:4.1.34.Final] at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [66:io.netty.transport:4.1.34.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:677) [66:io.netty.transport:4.1.34.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:612) [66:io.netty.transport:4.1.34.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:529) [66:io.netty.transport:4.1.34.Final] at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:491) [66:io.netty.transport:4.1.34.Final] at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:905) [63:io.netty.common:4.1.34.Final] at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [63:io.netty.common:4.1.34.Final] at java.lang.Thread.run(Thread.java:748) [?:?]Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521) ~[?:?] at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528) ~[?:?] at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:802) ~[?:?] at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766) ~[?:?] at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:?] at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:295) ~[64:io.netty.handler:4.1.34.Final] at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1330) ~[64:io.netty.handler:4.1.34.Final] at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1225) ~[64:io.netty.handler:4.1.34.Final] at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1272) ~[64:io.netty.handler:4.1.34.Final] at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[61:io.netty.codec:4.1.34.Final] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[61:io.netty.codec:4.1.34.Final] ... 16 moreCaused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?] at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709) ~[?:?] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318) ~[?:?] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) ~[?:?] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) ~[?:?] at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) ~[?:?] at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:?] at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:?] at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:?] at java.security.AccessController.doPrivileged(Native Method) ~[?:?] at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:?] at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1500) ~[64:io.netty.handler:4.1.34.Final] at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1514) ~[64:io.netty.handler:4.1.34.Final] at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1398) ~[64:io.netty.handler:4.1.34.Final] at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1225) ~[64:io.netty.handler:4.1.34.Final] at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1272) ~[64:io.netty.handler:4.1.34.Final] at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[61:io.netty.codec:4.1.34.Final] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[61:io.netty.codec:4.1.34.Final] ... 16 moreCaused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS server authentication at sun.security.validator.EndEntityChecker.checkTLSServer(EndEntityChecker.java:297) ~[?:?] at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:144) ~[?:?] at sun.security.validator.Validator.validate(Validator.java:274) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:289) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144) ~[?:?] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626) ~[?:?] at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) ~[?:?] at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:?] at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:?] at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:?] at java.security.AccessController.doPrivileged(Native Method) ~[?:?] at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:?] at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1500) ~[64:io.netty.handler:4.1.34.Final] at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1514) ~[64:io.netty.handler:4.1.34.Final] at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1398) ~[64:io.netty.handler:4.1.34.Final] at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1225) ~[64:io.netty.handler:4.1.34.Final] at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1272) ~[64:io.netty.handler:4.1.34.Final] at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[61:io.netty.codec:4.1.34.Final] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[61:io.netty.codec:4.1.34.Final] ... 16 more