Table of Contents
Advertisement
Standard X.509 v3 Certificate Extensions
Microsoft Recommendation
Microsoft products do not examine this extension. Microsoft recommends that, for
the purposes of building certificate chains, authorityKeyIdentifier be used rather
than issuerAltName or the certificate's issuer name.
keyUsage
OID
2.5.29.15
Reference
http://www.ietf.org/rfc/rfc2459.txt
Criticality
This extension may be critical or noncritical. PKIX Part 1 recommends that it
should be marked critical if it is used.
Discussion
The Key Usage extension defines the purpose of the key contained in the certificate.
The Key Usage, Extended Key Usage, Basic Constraints, and Netscape Certificate
Type extensions act together to specify the purposes for which a certificate can be
used. For more information on interactions between these extensions in CA
certificates, see "CA Certificates and Extension Interactions" on page 368.
If this extension is included at all, set the bits as follows:
•
digitalSignature
and object-signing certificates.
•
nonRepudiation
certificates. Note, however, that the use of this bit is controversial. You should
carefully consider the legal consequences of its use before setting it for any
certificate.
•
keyEncipherment
certificates.
•
dataEncipherment
data (as opposed to key material).
•
keyAgreement
•
keyCertSign
•
cRLSign
348
Netscape Certificate Management System Plug-Ins Guide • March 2002
(
) for SSL client certificates, S/MIME signing certificates,
0
(
) for some S/MIME signing certificates and object-signing
1
(
) for SSL server certificates and S/MIME encryption
2
(
) when the subjects's public key is used to encipher user
3
(
) whenever the subject's public key is used for key agreement.
4
(
) for all CA signing certificates
5
(
) for CA signing certificates that are used to sign CRLs
6
4.2.1.3
Advertisement
Table of Contents
