The criticality flag means "if you are too back-level to recognize this new extension then you must reject the certificate."
A TLS implementation that recognizes the extension should always honor it. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Michael Babcock Sent: Monday, February 28, 2022 6:55 AM To: [email protected] Subject: Certificates ,extKeyUsage and Criticality flag To all you certificate experts out there: We have z/OS Connect EE (ZCEE) installed and are running into an issue with our CICS SITE certificate. We are getting the following during a handshake from CICS to ZCEE: "Extended key usage does not permit use for TLS client authentication" The CICS certificate is a SITE cert and has the extKeyUsage extension defined with serverAuth and the criticality flag set to false. What the message is indicating is that we need to have clientAuth as well as serverAuth in the extKeyusage field. I understand that part. My question is "since the criticality flag is set to false" should ZCEE honor that extension and enforce the restriction?" Or is it up to the application to honor that particular extension and enforce the restrictions even though the criticality flag is false? I understand that if the flag is true the application MUST honor/enforce the restrictions. Can someone enlighten me? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
