NM> On Thu, May 23, 2019 at 1:17 AM Gregory Sloop <[email protected]> wrote:
>> I am using certtool to create some certificates and keys.
>> These certs and keys will be used on Windows systems - and I've run into
>> some confusion.
>> As far as I can tell, MS [and Cisco and others] expect the OID
>> 1.3.6.1.5.5.7.3.1 to be a "server" certificate.
>> However, from the GNUTLS docs for certtool, I see this:
>> # Whether this certificate will be used for a TLS client;
>> # this sets the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) of
>> # extended key usage.
>> tls_www_client
>> # Whether this certificate will be used for a TLS server;
>> # This sets the id-kp-clientAuth (1.3.6.1.5.5.7.3.2) of
>> # extended key usage.
>> tls_www_server
NM> Hi,
NM> Thank you for bringing this up. It seems that the comments in the
NM> configuration file are incorrect. Checking the OIDs set by these two
NM> options, they are reversed and match what you mention above.
NM> regards,
NM> Nikos
Thanks, I was pretty sure, as I did review some certs I created with another
tool and it was as I expected - but I wanted to do it a second time, being
super careful to be sure I was right. It's great to get your confirmation! Now
I don't need to do that.
Thanks for fixing it in the comments/docs for a future version!
It looks like it's in the docs too:
https://www.gnutls.org/manual/gnutls.html
..and thanks for a great tool! [I should say that part first!!! Seriously, I
really do appreciate your work!]
-Greg
_______________________________________________
Gnutls-help mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnutls-help
