Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual page 454

Appendix A. Certificate and CRL Extensions
If this extension is included at all, set the bits as follows:
• digitalSignature (0) for SSL client certificates, S/MIME signing certificates, and object-signing
certificates.
• nonRepudiation (1) for some S/MIME signing certificates and object-signing certificates.
WARNING
Use of this bit is controversial. Carefully consider the legal consequences of its use
before setting it for any certificate.
• keyEncipherment (2) for SSL server certificates and S/MIME encryption certificates.
• dataEncipherment (3) when the subject's public key is used to encrypt user data instead of key
material.
• keyAgreement (4) when the subject's public key is used for key agreement.
• keyCertSign (5) for all CA signing certificates.
• cRLSign (6) for CA signing certificates that are used to sign CRLs.
• encipherOnly (7) if the public key is used only for enciphering data. If this bit is set,
keyAgreement should also be set.
• decipherOnly (8) if the public key is used only for deciphering data. If this bit is set,
keyAgreement should also be set.
Table A.3, "Certificate Uses and Corresponding Key Usage Bits"
certificate uses.
Purpose of Certificate
CA Signing
SSL Client
SSL Server
S/MIME Signing
S/MIME Encryption
Certificate Signing
Table A.3. Certificate Uses and Corresponding Key Usage Bits
If the keyUsage extension is present and marked critical, then it is used to enforce the usage of the
certificate and key. The extension is used to limit the usage of a key; if the extension is not present or
not critical, all types of usage are allowed.
If the keyUsage extension is present, critical or not, it is used to select from multiple certificates for a
given operation. For example, it is used to distinguish separate signing and encryption certificates for
users who have separate certificates and key pairs for operations.
434
summarizes the guidelines for typical