Discussion:
Certificate Intended Purpose
Charles B Cranston
2005-01-18 15:25:43 UTC
Permalink
One could read in openssl.txt (in the doc directory of the OpenSSL
source distribution):

===

Extended Key Usage.

This extensions consists of a list of usages.

These can either be object short names of the dotted numerical form of OIDs.
While any OID can be used only certain values make sense. In particular the
following PKIX, NS and MS values are meaningful:

Value Meaning
----- -------
serverAuth SSL/TLS Web Server Authentication.
clientAuth SSL/TLS Web Client Authentication.
codeSigning Code signing.
emailProtection E-mail Protection (S/MIME).
timeStamping Trusted Timestamping
msCodeInd Microsoft Individual Code Signing (authenticode)
msCodeCom Microsoft Commercial Code Signing (authenticode)
msCTLSign Microsoft Trust List Signing
msSGC Microsoft Server Gated Crypto
msEFS Microsoft Encrypted File System
nsSGC Netscape Server Gated Crypto

For example, under IE5 a CA can be used for any purpose: by including a list
of the above usages the CA can be restricted to only authorised uses.

Note: software packages may place additional interpretations on certificate
use, in particular some usages may only work for selected CAs. Don't for
example
expect just including msSGC or nsSGC will automatically mean that a
certificate
can be used for SGC ("step up" encryption) otherwise anyone could use it.

Examples:

extendedKeyUsage=critical,codeSigning,1.2.3.4
extendedKeyUsage=nsSGC,msSGC

===

Sorry, I don't know enough about Windows to know how these map
to the "Certificate Intended Purposes" thing.
How do you go about making a client certificate and making sure that its
used for client authentication ONLY. You know the thing you see as
"Certificate Intended Purposes" part within certificate properties when
using your browser.
Which equates to: how does one set "id-kp OBJECT IDENTIFIER" to
id-kp-serverAuth or id-kp-clientAuth et al , using openssl ?
Googling doesn't find much apart from the RFC (which I flicked through).
Ta.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
--
"An Internet-connected Windows machine is tantamount to
a toddler carrying a baggie of $100 bills down a city street..."

Charles B (Ben) Cranston
mailto: zben-***@public.gmane.org
http://www.wam.umd.edu/~zben

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Dr. Stephen Henson
2005-01-18 17:13:47 UTC
Permalink
Post by Charles B Cranston
One could read in openssl.txt (in the doc directory of the OpenSSL
OK I looked at http://www.openssl.org/ and there is a whole load of
documentation about extended key usage extensions and I think I just
need to use the -purpose option of the x509 utility. I will go play.
I've learnt more from being on this list for a few days than I have
reading up on this stuff in the last month.
Adding clientAuth in the extended key usage extension in the user certificate
should be sufficient. I say "should" because YMMV according to the application
in use.

The -purpose option is for testing using OpenSSLs internal rules, it doesn't
actually change the certifiate in any way.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Loading...