Netscape MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR Administrator's Manual page 729

Discussion
The Key Usage extension defines the purpose of the key contained in the certificate.
The Key Usage, Extended Key Usage, Basic Constraints, and Netscape Certificate
Type extensions act together to specify the purposes for which a certificate can be
used. For more information on interactions between these extensions in CA
certificates, see "CA Certificates and Extension Interactions" on page 742.
If this extension is included at all, set the bits as follows:
•
digitalSignature
and object-signing certificates.
•
nonRepudiation
certificates. Note, however, that the use of this bit is controversial. You should
carefully consider the legal consequences of its use before setting it for any
certificate.
•
keyEncipherment
certificates.
•
dataEncipherment
data (as opposed to key material).
• (
keyAgreement 4
• ( ) for all CA signing certificates
keyCertSign 5
• ( ) for CA signing certificates that are used to sign CRLs
cRLSign 6
• (
encipherOnly 7
this bit is set,
keyAgreement
• (
decipherOnly 8
this bit is set,
keyAgreement
Table G-3 summarizes the above guidelines for typical certificate uses.
Certificate uses and corresponding Key Usage bits
Table G-3
Purpose of certificate
CA Signing
SSL Client
SSL Server
S/MIME Signing
( ) for SSL client certificates, S/MIME signing certificates,
0
( ) for some S/MIME signing certificates and object-signing
1
( ) for SSL server certificates and S/MIME encryption
2
( ) when the subjects's public key is used to encipher user
3
) whenever the subject's public key is used for key agreement.
) if the public key is to be used only for enciphering data. If
should also be set.
) if the public key is to be used only for deciphering data. If
should also be set.
Required Key Usage bit
keyCertSign
cRLSign
digitalSignature
keyEncipherment
digitalSignature
Standard X.509 v3 Certificate Extensions
Appendix G Certificate and CRL Extensions 729