Keyusageext - Netscape MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR Administrator's Manual

KeyUsageExt

The plug-in module enables you to add the Key Usage Extension to
KeyUsageExt
certificates. The extension specifies the purposes for which the key contained in a
certificate should be used—for example, it specifies whether the key should be
used for data signing, key encipherment, or data encipherment—and thus enables
you to restrict the usage of a key pair to predetermined purposes.
For general information about this extension, see "keyUsage" on page 728.
The key usage extension is a string of boolean bit-flags, each bit identifying the
purpose for which a key is to be used. Table 11-26 lists the bits and their designated
purposes.
Table 11-26 Key usage extension bits and designated purposes
Bit Purpose
0
digitalSignature
1
nonRepudiation
2
keyEncipherment
3
dataEncipherment
4
keyAgreement
5
keyCertSign
6
cRLSign
7
encipherOnly
8
decipherOnly
You can restrict the purposes for which a key pair (and thus the corresponding
certificate) should be used by setting the appropriate key-usage bits. For example,
if you want to restrict a key pair to be used for digital signature only, when issuing
the certificate you would add the key usage extension to the certificate with
digital_signature
Note that you can specify which bits in the extension are to be set on both server
and client sides:
• On the server side, you set the bits by modifying the appropriate configuration
parameters that are defined in the key usage extension policy.
bit (or bit 0) set.
Extension-Specific Policy Module Reference
Chapter 11 Policies 535