On Tue, Nov 03, 2015 at 04:41:30PM +0000, Jeremy Harris wrote:
> On 03/11/15 16:34, Daryl Richards wrote:
> > Their certificate should still work for SSL/TLS on the
> > server, as there's no real difference between that and a web server
> > SSL/TLS cert...
>
> apart from the Certificate Usage field...
I think youe mean X.509 "keyUsage" and "extendedKeyUsage". The
latter distinguishes between email signing, TLS server auth, and
TLS client auth.
https://www.openssl.org/docs/manmaster/apps/x509v3_config.html
Key Usage.
Key usage is a multi valued extension consisting of a list of
names of the permitted key usages.
The supported names are: digitalSignature, nonRepudiation,
keyEncipherment, dataEncipherment, keyAgreement, keyCertSign,
cRLSign, encipherOnly and decipherOnly.
Extended Key Usage.
This extensions consists of a list of usages indicating
purposes for which the certificate public key can be used
for,
These can either be object short names of the dotted
numerical form of OIDs. While any OID can be used only
certain values make sense. In particular the following
PKIX, NS and MS values are meaningful:
Value Meaning
----- -------
serverAuth SSL/TLS Web Server Authentication.
clientAuth SSL/TLS Web Client Authentication.
codeSigning Code signing.
emailProtection E-mail Protection (S/MIME).
timeStamping Trusted Timestamping
msCodeInd Microsoft Individual Code Signing (authenticode)
msCodeCom Microsoft Commercial Code Signing (authenticode)
msCTLSign Microsoft Trust List Signing
msEFS Microsoft Encrypted File System
--
Viktor.
