Thanks for the rapid response! The doc/openssl.txt document was exactly what I was looking for. (Guess I need to spiff up my research skills as that was right in the open there.)
If I save the certificate to a file on my desktop as a .cer file and then double-click it, it opens up and on the very first tab it says "All application policies" right below the section that says "This certificate is intended for the following purpose(s):" I can post a screenshot, if you'd like. -----Original Message----- From: Dr. Stephen Henson [mailto:[EMAIL PROTECTED] Sent: June 27, 2003 1:55 PM To: [EMAIL PROTECTED] Subject: Re: X.509 Extensions On Fri, Jun 27, 2003, Jeremy Wiebe wrote: > Hello all, > > I've been digging around in the openssl-users mailing list looking for a > listing of available X.509 extensions that are valid. I googled a bit for > them and can't seem to find a definitive listing of extensions that OpenSSL > supports. > The FAQ points you to doc/openssl.txt. > Background: We are using OpenSSL to create a Certificate Authority. It will > issue certificates to clients in a mostly private environment to be used > strictly for the clients to identify themselves to a server. Currently I've > got everything working, but when I view the generated certificates in > Windows it says that the certificate has "All application policies" and the > Key Usage is set to "Digital Signature, Key Encipherment, Data Encipherment > (b0)". > > My question, is this ok? or should I be limiting these certificates more? > Depends on what you want to do with them. MS software typically uses the extended key usage extension to determine which usages to permit and then allows the user installing the certificate to limit usage further. If you look at some of the standard root CAs (e.g. Thawte Freemail) you'll see that only a couple of a large list of potential purposes are checked. Where do you get the message "All application policies" BTW? I've not noticed that one before. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
