Netscape MANAGEMENT SYSTEM 4.5 - PLUG-IN Manual page 350

Standard X.509 v3 Certificate Extensions
Discussion
The Key Usage extension defines the purpose of the key contained in the certificate.
The Key Usage, Extended Key Usage, Basic Constraints, and Netscape Certificate
Type extensions act together to specify the purposes for which a certificate can be
used. For more information on interactions between these extensions in CA
certificates, see "CA Certificates and Extension Interactions" on page 368.
If this extension is included at all, set the bits as follows:
•
digitalSignature
and object-signing certificates.
•
nonRepudiation
certificates. Note, however, that the use of this bit is controversial. You should
carefully consider the legal consequences of its use before setting it for any
certificate.
•
keyEncipherment
certificates.
•
dataEncipherment
data (as opposed to key material).
•
keyAgreement
•
keyCertSign
•
cRLSign
•
encipherOnly
this bit is set,
•
decipherOnly
this bit is set,
Table C-4 summarizes the above guidelines for typical certificate uses.
Table C-4
Purpose of certificate
CA Signing
SSL Client
SSL Server
S/MIME Signing
350 Netscape Certificate Management System Plug-ins Guide • October 2001
( ) for SSL client certificates, S/MIME signing certificates,
0
( ) for some S/MIME signing certificates and object-signing
1
( ) for SSL server certificates and S/MIME encryption
2
( ) when the subjects's public key is used to encipher user
3
( ) whenever the subject's public key is used for key agreement.
4
( ) for all CA signing certificates
5
( ) for CA signing certificates that are used to sign CRLs
6
( ) if the public key is to be used only for enciphering data. If
7
should also be set.
keyAgreement
( ) if the public key is to be used only for deciphering data. If
8
should also be set.
keyAgreement
Certificate uses and corresponding Key Usage bits
Required Key Usage bit
keyCertSign
cRLSign
digitalSignature
keyEncipherment
digitalSignature