We replaced a self-signed certificate JKS with a signed certificate in WebLogic 12.2.1.3.0.
The C# desktop applications that connect to a service hosted there now fail with "The request was aborted: Could not create SSL/TLS secure channel". That can be fixed on the client with
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
for .NET 4.5 or
ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
for .NET 4.0.
The two certificates both use SHA256withRSA and a 2048-bit RSA key.
Why did replacing the certificate require the updating the client applications to use TLS1.2? Also, is there a way to fix this on the WebLogic side so that we do not have to deploy a new version of the client to our users?
Update: The old certificate info does not include anything with KeyUsage. The new one has:
#5: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#6: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
The Root certificates also have:
#4: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_CertSign
Crl_Sign
]