Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Key Encipherment (e0) & (a0)

5,604 views
Skip to first unread message

Andrea Cogliati

unread,
May 3, 2005, 4:05:56 AM5/3/05
to
Guys,

I've succesfully generated a Domain Controller certificate for Smart
Card logon in Windows with 0.9.8-dev. Now, I've found a little
discrepancy and I cannot find any clear (to me!) documentation about
it.

If I use Windows Certificate viewer, the certificate generated with
OpenSSL has Key Encipherment (e0) as a Key Usage, while a certificate
generated through MS Certificate Server has Key Encipherment (a0).
What's the difference between them? If necessary, how can I insert a
Key Encipherment (a0) with OpenSSL?

TIA,

Andrea

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Dr. Stephen Henson

unread,
May 3, 2005, 7:13:27 AM5/3/05
to
On Tue, May 03, 2005, Andrea Cogliati wrote:

> Guys,
>
> I've succesfully generated a Domain Controller certificate for Smart
> Card logon in Windows with 0.9.8-dev. Now, I've found a little
> discrepancy and I cannot find any clear (to me!) documentation about
> it.
>
> If I use Windows Certificate viewer, the certificate generated with
> OpenSSL has Key Encipherment (e0) as a Key Usage, while a certificate
> generated through MS Certificate Server has Key Encipherment (a0).
> What's the difference between them? If necessary, how can I insert a
> Key Encipherment (a0) with OpenSSL?
>

What do you get in the keyUsage extension when you do:

openssl x509 -in cert.pem -noout -text

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk

Andrea Cogliati

unread,
May 3, 2005, 7:53:57 AM5/3/05
to

On May 3, 2005, at 1:12 PM, Dr. Stephen Henson wrote:

>> If I use Windows Certificate viewer, the certificate generated with
>> OpenSSL has Key Encipherment (e0) as a Key Usage, while a certificate
>> generated through MS Certificate Server has Key Encipherment (a0).
>

> What do you get in the keyUsage extension when you do:
>
> openssl x509 -in cert.pem -noout -text
>

openssl shows "Key Encipherment" for both certifcates. Is the e0/a0
issue a MS undocumented "feature"?

The first one is the openssl certificate, the second one is the MS
Certificate Server one:

Certificate:
[...]
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
1.3.6.1.4.1.311.20.2:
. .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r
X509v3 Subject Alternative Name:
othername:<unsupported>, DNS:pig-dc.guinea.corp
[...]

Certificate:
[...]
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server
Authentication
1.3.6.1.4.1.311.20.2:
. .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r
[...]

Andrea

Dr. Stephen Henson

unread,
May 3, 2005, 8:12:39 AM5/3/05
to
On Tue, May 03, 2005, Andrea Cogliati wrote:

>
> On May 3, 2005, at 1:12 PM, Dr. Stephen Henson wrote:
>
> >>If I use Windows Certificate viewer, the certificate generated with
> >>OpenSSL has Key Encipherment (e0) as a Key Usage, while a certificate
> >>generated through MS Certificate Server has Key Encipherment (a0).
> >
> >What do you get in the keyUsage extension when you do:
> >
> >openssl x509 -in cert.pem -noout -text
> >
> openssl shows "Key Encipherment" for both certifcates. Is the e0/a0
> issue a MS undocumented "feature"?
>
> The first one is the openssl certificate, the second one is the MS
> Certificate Server one:
>

> X509v3 Key Usage:
> Digital Signature, Non Repudiation, Key Encipherment

> X509v3 Key Usage:
> Digital Signature, Key Encipherment
>

The a0/e0 is a hex representation of the bits above. If you remove the non
repidiation usage from openssl.cnf the two should then be identical.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk

Andrea Cogliati

unread,
May 3, 2005, 9:01:03 AM5/3/05
to

On May 3, 2005, at 2:12 PM, Dr. Stephen Henson wrote:

> The a0/e0 is a hex representation of the bits above. If you remove the
> non
> repidiation usage from openssl.cnf the two should then be identical.
>

Steve, you're right! It worked.

Thanks,

Andrea

noko...@gmail.com

unread,
Aug 3, 2018, 12:22:55 AM8/3/18
to
Hi Dr. Stephen,

I am having a hard time trying to access OWA over the web. I am confused after importing the certificate but still in Exchange Certificate its saying "this CA Root is not trusted. To enable trust, install this certificate in the trusted root certification Authorities store"

If you can kindly give me some directions to get rid of this message.


Thank you.
0 new messages