Re: Setting the key usage for client certificates

Mon, 24 May 2004 23:30:03 -0700 

Marcus Carey wrote:
> 
> 
> When creating client certificates with following extensions:
> 
> basicContraints            CA:FALSE
> nsComment                  "OpenSSL Generated Certificate"
> subjectKeyIdentifier      hash
> authoritiyKeyIdentifier   keyid,issuer:always
> keyUsage                    
> nonrepudiation,digitalsignature,keyEncipherment
> 
> Microsoft certificate viewer list the following certiticate usage
> information:  Is this correct for the extensions listed above?
> 
> Ensures the identity of a remote computer
> Proves your identity to a remote computer
> Ensures software came from software publisher
> Protects software from alteration after publication
> Protects e-mail messages
> Allows data to be signed with the current time
> Allows you to digitally sign a certificate trust list
> Allows secure communication on the Internet
> Allows data on disk to be encrypted
> Windows Hardware Driver Verification
> Windows System Component Verification
> OEM Windows System Component Verification
> Embedded Windows System Component Verification
> Key Pack Licenses
> License Server Verification
> Smart Card Logon
> Digital Rights
> Qualified Subordination
> Key Recovery
> Document Signing
> File Recovery
> Root List Signer
> All application policies
> Directory Service Email Replication
> Certificate Request Agent
> Key Recovery Agent
> Private Key Archival
> Lifetime Signing
> File Recovery

This is not really dependant of the certificate, it seems
to be a very broad interpretation of what the OS allows
you to do with such a certificate. So I would guess, it
is more a Windows issue than an OpenSSL or X509 issue...

> How do I create a client certificate which has only the folowing two
> usage values?
> 
> Proves your identity to a remote computer
> Protects e-mail messages
As said above, most of the above is just an interpretation
of your OS, so these values will depend on the security
settings of your box and not on the certificate itself...
Unfortunately I am not a windows guru so I can not
enlighten you any further. ;-)

Olaf


-- 
Dipl.Inform. Olaf Gellert                  PRESECURE (R)
Consultant,                              Consulting GmbH
Phone: (+49) 0700 / PRESECURE           [EMAIL PROTECTED]

                        A daily view on Internet Attacks
                        https://www.ecsirt.net/sensornet

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to