Splunk Forwarder SSL unsupported certificate purpose?

Running Splunk 6.5.2 & 6.5.3, We just re-rolled our PKI using Microsoft's Certificate Services, with a RootCA, PolicyCA and Issuing CA. I've been having a hard time getting our heavy forwarders to communicate to our indexer when "requireClientCert = true". I've tried several things. Sent off the openssl csr's to the Issuing CA to get signed, came back as .der formated. Ran openssl -in cert.cer -inform der -out cert.pem Converted to pem format Concatenated the private key to the server certs: cat privkey-server.pem >> server.pem Now I've tried a couple of variations here, I've tried chaining the rootCA together such as the following: cat policyCA.pem >> issuingCA.pem cat rootCA.pem >> issuingCA.pem mv issuingCA.pem cacert.pem with the config: serverCert = /opt/splunk/etc/auth/testing/server.pem (the cert I mentioned above) sslRootCAPath = /opt/splunk/etc/auth/testing/cacert.pem I've run /opt/splunk/bin/splunk cmd openssl verify -CAfile cacert.pem server.pem verified the server cert is signed correctly Did this on both the forwarder and indexer and it failed. Next I came across some info that what I understood suggested adding the issuing CA and policy CA into the server.pem file and keeping the rootCA.pem alone as the specified sslRootCAPath. That didn't work either. I get: 10-19-2017 10:38:15.493 -0400 ERROR X509Verify - X509 certificate (CN=ourCompanyCN) failed validation; error=26, reason="unsupported certificate purpose" 10-19-2017 10:38:15.494 -0400 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate B', alert_description='unsupported certificate'. 10-19-2017 10:38:15.494 -0400 ERROR TcpInputProc - Error encountered for connection from src=:50477. error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed The Certs generated have the following: X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment and further down.. X509v3 Extended Key Usage: TLS Web Server Authentication 1.3.6.1.4.1.311.21.10: 0.0 Anyone have any ideas? I want to be able to turn on the "requireClientCert = true" setting... Please help