[gnutls-help] Server and client OID

Wed, 22 May 2019 16:17:33 -0700 

I am using certtool to create some certificates and keys.
These certs and keys will be used on Windows systems - and I've run into some 
confusion.

As far as I can tell, MS [and Cisco and others] expect the OID 
1.3.6.1.5.5.7.3.1 to be a "server" certificate.

However, from the GNUTLS docs for certtool, I see this:

# Whether this certificate will be used for a TLS client;
# this sets the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) of 
# extended key usage.
tls_www_client

# Whether this certificate will be used for a TLS server;
# This sets the id-kp-clientAuth (1.3.6.1.5.5.7.3.2) of 
# extended key usage.
tls_www_server

Since I've seen 1.3.6.1.5.5.7.3.1 defined as a *server* EKU everywhere I've 
found from google searches, I pretty sure this is the correct *server* OID.

So, I guess the core question is:
Which OID is set for which keyword?
If I use "tls_www_client" in my template, is 1.3.6.1.5.5.7.3.1 going to be set, 
or is it _really_ 1.3.6.1.5.5.7.3.2?
And clearly related; If I use "tls_www_server" in my template, is 
1.3.6.1.5.5.7.3.2 going to be set, or is it _really_ 1.3.6.1.5.5.7.3.1?

I *assume* what really happens is:
tls_www_server = 1.3.6.1.5.5.7.3.1
tls_www_client = 1.3.6.1.5.5.7.3.2
[Which is the reverse of the documentation for certtool; see: 
https://gnutls.org/manual/html_node/certtool-Invocation.html ]

But I want to verify that the comments in the docs are backwards before I 
assume that 


---
If it matters, and perhaps it does - in this particular case, I'm generating 
ca/certs/keys for a Wifi EAP-TLS setup. I assume that the FreeRadius server 
needs a cert with OID 1.3.6.1.5.5.7.3.1, and the client certs need 
1.3.6.1.5.5.7.3.2 [and should *NOT* contain 1.3.6.1.5.5.7.3.1. That way, a 
client cert couldn't be used to spoof/impersonate the server on a rogue Radius 
server. Yes, I understand that would take some doing, and isn't likely - but no 
sense in having any additional exposure.] 

This is why having the correct OID's and only the correct OID's is important - 
and thus the above query.

TIA
-Greg
_______________________________________________
Gnutls-help mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnutls-help

Reply via email to