One could read in openssl.txt (in the doc directory of the OpenSSL source distribution):
===
Extended Key Usage.
This extensions consists of a list of usages.
These can either be object short names of the dotted numerical form of OIDs. While any OID can be used only certain values make sense. In particular the following PKIX, NS and MS values are meaningful:
Value Meaning ----- ------- serverAuth SSL/TLS Web Server Authentication. clientAuth SSL/TLS Web Client Authentication. codeSigning Code signing. emailProtection E-mail Protection (S/MIME). timeStamping Trusted Timestamping msCodeInd Microsoft Individual Code Signing (authenticode) msCodeCom Microsoft Commercial Code Signing (authenticode) msCTLSign Microsoft Trust List Signing msSGC Microsoft Server Gated Crypto msEFS Microsoft Encrypted File System nsSGC Netscape Server Gated Crypto
For example, under IE5 a CA can be used for any purpose: by including a list of the above usages the CA can be restricted to only authorised uses.
Note: software packages may place additional interpretations on certificate
use, in particular some usages may only work for selected CAs. Don't for example
expect just including msSGC or nsSGC will automatically mean that a certificate
can be used for SGC ("step up" encryption) otherwise anyone could use it.
Examples:
extendedKeyUsage=critical,codeSigning,1.2.3.4 extendedKeyUsage=nsSGC,msSGC
===
Sorry, I don't know enough about Windows to know how these map to the "Certificate Intended Purposes" thing.
Shaun Lipscombe wrote:
* Shaun Lipscombe wrote:
How do you go about making a client certificate and making sure that its used for client authentication ONLY. You know the thing you see as "Certificate Intended Purposes" part within certificate properties when using your browser.
Which equates to: how does one set "id-kp OBJECT IDENTIFIER" to id-kp-serverAuth or id-kp-clientAuth et al , using openssl ?
Googling doesn't find much apart from the RFC (which I flicked through).
Ta. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
-- "An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street..."
Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
