Table of Contents
Advertisement
KeyUsageExt Plug-in Module
The
KeyUsageExt
policy enables you to configure Certificate Management System to add the Key
Usage Extension defined in X.509 and PKIX standard RFC 2459 (see
http://www.ietf.org/rfc/rfc2459.txt
the purposes for which the key contained in a certificate should be used—for
example, it specifies whether the key should be used for data signing, key
encipherment, or data encipherment—and thus enables you to restrict the usage of
a key pair to predetermined purposes.
The key usage extension is a string of boolean bit-flags, each bit identifying the
purpose for which a key is to be used. Table 4-13 lists the bits and their designated
purposes.
Table 4-13 Key usage extension bits and designated purposes
Bit
0
1
2
3
4
5
6
7
8
You can restrict the purposes for which a key pair (and thus the corresponding
certificate) should be used by setting the appropriate key-usage bits. For example,
if you want to restrict a key pair to be used for digital signature only, when issuing
the certificate you would add the key usage extension to the certificate with
digital_signature
usage extension in certificates, see "keyUsage" on page 349.
plug-in module implements the key usage extension policy. This
Purpose
digitalSignature
nonRepudiation
keyEncipherment
dataEncipherment
keyAgreement
keyCertSign
cRLSign
encipherOnly
decipherOnly
bit (or bit 0) set. For general guidelines on setting the key
) to certificates. The extension specifies
Chapter 4
Certificate Extension Plug-in Modules
KeyUsageExt Plug-in Module
187
Advertisement
Table of Contents
