Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Setting the key usage for client certificates

199 views
Skip to first unread message

Marcus Carey

unread,
May 24, 2004, 1:38:03 PM5/24/04
to

When creating client certificates with following extensions:

basicContraints CA:FALSE
nsComment "OpenSSL Generated Certificate"
subjectKeyIdentifier hash
authoritiyKeyIdentifier keyid,issuer:always
keyUsage nonrepudiation,digitalsignature,keyEncipherment

Microsoft certificate viewer list the following certiticate usage
information: Is this correct for the extensions listed above?

Ensures the identity of a remote computer
Proves your identity to a remote computer
Ensures software came from software publisher
Protects software from alteration after publication
Protects e-mail messages
Allows data to be signed with the current time
Allows you to digitally sign a certificate trust list
Allows secure communication on the Internet
Allows data on disk to be encrypted
Windows Hardware Driver Verification
Windows System Component Verification
OEM Windows System Component Verification
Embedded Windows System Component Verification
Key Pack Licenses
License Server Verification
Smart Card Logon
Digital Rights
Qualified Subordination
Key Recovery
Document Signing
File Recovery
Root List Signer
All application policies
Directory Service Email Replication
Certificate Request Agent
Key Recovery Agent
Private Key Archival
Lifetime Signing
File Recovery


How do I create a client certificate which has only the folowing two
usage values?

Proves your identity to a remote computer
Protects e-mail messages


Thank You!

Marcus Carey

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Olaf Gellert

unread,
May 25, 2004, 2:29:42 AM5/25/04
to

This is not really dependant of the certificate, it seems
to be a very broad interpretation of what the OS allows
you to do with such a certificate. So I would guess, it
is more a Windows issue than an OpenSSL or X509 issue...

> How do I create a client certificate which has only the folowing two
> usage values?
>
> Proves your identity to a remote computer
> Protects e-mail messages

As said above, most of the above is just an interpretation
of your OS, so these values will depend on the security
settings of your box and not on the certificate itself...
Unfortunately I am not a windows guru so I can not
enlighten you any further. ;-)

Olaf


--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Consultant, Consulting GmbH
Phone: (+49) 0700 / PRESECURE o...@pre-secure.de

A daily view on Internet Attacks
https://www.ecsirt.net/sensornet

Igal Ore

unread,
May 25, 2004, 7:48:57 AM5/25/04
to
This is a multi-part message in MIME format.
--------------080102020602080007090406
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Olaf Gellert wrote:

i'm also not an windows guru but had some experience with m$ crypto API:

Extensions that you need are formed when user importing certificate to
ms cert store, they can be added latter , but default set allow for that
certificate all Microsoft defined and used only extensions. Those
extensions could be modified or throw crypto API certificate functions
or by provided certificate GUI (Advanced button)

Some how , via crypto API you can enforce witch extensions will be
available for user to change.

Best place to ask and search at m$ security forums.

--------------080102020602080007090406
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Olaf Gellert wrote:
<blockquote cite="mid40B2E6...@pre-secure.de" type="cite">
<pre wrap="">Marcus Carey wrote:
</pre>
<blockquote type="cite">
<pre wrap="">

</pre>
</blockquote>
<pre wrap=""><!---->


This is not really dependant of the certificate, it seems
to be a very broad interpretation of what the OS allows
you to do with such a certificate. So I would guess, it
is more a Windows issue than an OpenSSL or X509 issue...

</pre>
<blockquote type="cite">
<pre wrap="">How do I create a client certificate which has only the folowing two
usage values?

Proves your identity to a remote computer
Protects e-mail messages

</pre>
</blockquote>
<pre wrap=""><!---->As said above, most of the above is just an interpretation


of your OS, so these values will depend on the security
settings of your box and not on the certificate itself...
Unfortunately I am not a windows guru so I can not
enlighten you any further. ;-)

Olaf


</pre>
</blockquote>
i'm also not an windows guru but had some experience with m$ crypto API:<br>
<br>
Extensions that you need are formed when user importing certificate to
ms cert store, they can be added latter , but default set allow for
that certificate all Microsoft defined and used only extensions. Those
extensions could be modified or throw crypto API certificate functions
or by provided certificate GUI (Advanced button)<br>
<br>
Some how , via crypto API you can enforce witch extensions will be
available for user to change.<br>
<br>
Best place to ask and search at m$ security forums.<br>
</body>
</html>

--------------080102020602080007090406--

0 new messages