[Cosign-discuss] x509 Key Usage

[John Miller]

Hi there folks,

Does cosignd check the x509v3 Key Usage or Extended Key Usage extensions in
client certificates?  Our CA certificate expires in a year, and I'd prefer
not to have to replace all 200-odd client certificates that we're running.
If we can just use our frontend certs (signed by InCommon), that'd be a
much cleaner solution.

Our web certificates have the following extensions:

X509v3 extensions:
X509v3 Authority Key Identifier:

keyid:39:DA:FF:CA:28:14:8A:A8:74:13:08:B9:E4:0E:A9:D2:FA:7E:9D:69

X509v3 Subject Key Identifier:
8B:6D:E7:CA:C9:31:A3:C4:F3:92:51:9E:DD:DD:72:10:E8:C8:61:46
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication, Microsoft Server Gated Crypto, Netscape Server Gated Crypto


Any help you can provide would be much appreciated!

John
-- 
John Miller
Systems Engineer
Brandeis University
johnm...@brandeis.edu
--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y___
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss

Re: [Cosign-discuss] x509 Key Usage

[John Miller]

Thanks, Liam.  I think that'd be a better long-term solution for us than
trying to keep running our own CA.  I can probably knock out the basics in
an afternoon.

John

On Wed, May 13, 2015 at 12:13 PM, Liam Hoekenga li...@umich.edu wrote:

 For the most part, we use our front-end certs for the cosign backchannel.
 You'll need to make sure you add the InCommon CA certs to the CA directory
 used by your cosignd.

 Liam

 On Wed, May 13, 2015 at 11:31 AM, John Miller johnm...@brandeis.edu
 wrote:

 Hi there folks,

 Does cosignd check the x509v3 Key Usage or Extended Key Usage extensions
 in client certificates?  Our CA certificate expires in a year, and I'd
 prefer not to have to replace all 200-odd client certificates that we're
 running.  If we can just use our frontend certs (signed by InCommon),
 that'd be a much cleaner solution.

 Our web certificates have the following extensions:

 X509v3 extensions:
 X509v3 Authority Key Identifier:

 keyid:39:DA:FF:CA:28:14:8A:A8:74:13:08:B9:E4:0E:A9:D2:FA:7E:9D:69

 X509v3 Subject Key Identifier:

 8B:6D:E7:CA:C9:31:A3:C4:F3:92:51:9E:DD:DD:72:10:E8:C8:61:46
 X509v3 Key Usage: critical
 Digital Signature, Key Encipherment
 X509v3 Basic Constraints: critical
 CA:FALSE
 X509v3 Extended Key Usage:
 TLS Web Server Authentication, TLS Web Client
 Authentication, Microsoft Server Gated Crypto, Netscape Server Gated Crypto


 Any help you can provide would be much appreciated!

 John
 --
 John Miller
 Systems Engineer
 Brandeis University
 johnm...@brandeis.edu



 --
 One dashboard for servers and applications across Physical-Virtual-Cloud
 Widest out-of-the-box monitoring support with 50+ applications
 Performance metrics, stats and reports that give you Actionable Insights
 Deep dive visibility with transaction tracing using APM Insight.
 http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
 ___
 Cosign-discuss mailing list
 Cosign-discuss@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/cosign-discuss





-- 
John Miller
Systems Engineer
Brandeis University
johnm...@brandeis.edu
(781) 736-4619
--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y___
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss