Re: documentation on openssl.cnf options

Thu, 20 May 1999 16:04:42 -0700 

Michael wrote:
> 
> >
> > In general there are very few extensions that need to be set. A bare
> > minimum would be just basicConstraints. As the documentation says
> > you should have CA:TRUE for CA certificates and CA:FALSE for end
> > user certificates. Thats enough for almost all purposes: its only
> > when you want to restrict the usage of the certificates that the
> > other extensions need to be set.
> >
> > I can include a "typical values" section in the main documentation
> > if that would help.
> >
> That would help a lot.   What do you do with CA: for a server cert.
> Presumeabley it would be FALSE. And.... what are the various
> combinations for keyUseage for CA, server, end user
> 

Well CA:TRUE is for a CA certificate. Setting CA:FALSE means that it
cannot be used as a CA certificate, so typically user (this includes
server) certificates have CA:FALSE. Most software will tolerate CA:TRUE
in end user certificates but you don't want to give a user a certificate
which effectively gives them their own CA!

keyUsage you can leave out if you wish: this means it can be used for
anything that basicConstraints will allow.

Otherwise for a CA:

keyUsage=keyCertSign,cRLSign

For a normal end user certificate:

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

Netscape documents suggest that an SSL server can have:

keyUsage = keyEncipherment

but I suppose

keyUsage = digitalSignature, keyEncipherment

is more correct.

Other things can be done as well, for example:

keyUsage = nonRepudiation, digitalSignature

in an S/MIME certificate can be used for signing only and not
encryption: provided the S/MIME client is clever enough.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to