Error: Not a code-signing certificate

(Error code 022ae2)

Possible sources

This error originated from one of the following locations within the iPXE source code:

General advice

Try using the latest version of iPXE. Your problem may have already been fixed.
Try building iPXE with the debug option DEBUG=cms
You can contact the iPXE developers and other iPXE users.
Refresh this page after 24 hours. This page is actively monitored, and further information may be added soon.

Additional notes

(Please edit this page to include any of your own useful hints and tips for fixing this error.)

This error indicates that the certificate used to verify a binary with the imgverify command is not a code-signing certificate. A certificate used for code-signing must include the codeSigning extended key usage.

Things to try:

Check that your certificate includes the codeSigning extended key usage. For example, to check the certificate codesign.crt:

  $ openssl x509 -in codesign.crt -noout -text
  ...
     X509v3 extensions:
          X509v3 Key Usage:
              Digital Signature
          X509v3 Extended Key Usage:
              Code Signing
  ...

Generate a new code-signing certificate including the codeSigning extended key usage. If you are using OpenSSL to generate the certificate, then you need to include the following extensions:
```
  keyUsage=digitalSignature
  extendedKeyUsage=codeSigning
```

A certificate used for code-signing must also include the digitalSignature key usage.