Accorind to RFC 2459:
If the Extended key usage field is flagged critical, the certificate MUST be used only
for one of the purposes indicated.
If the extension is flagged non-critical, then it indicates the intended purpose or
purposes of the key, and may be used in finding the correct key/certificate of an
entity that has multiple keys/certificates. It is an advisory field and does not imply
that usage of the key is restricted by the certification authority to the purpose
indicated. Certificate using applications may nevertheless require that a particular
purpose be indicated in order for the
certificate to be acceptable to that application.
I have a certificate (generated with MS Certificate Services W2K).
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2c:fd:65:6e:00:00:00:00:01:79
Signature Algorithm: sha1WithRSAEncryption
..bla-bla...
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
Extended key usage in not flagged as critical.
But I can't use them for smime encoding
>openssl verify -CAfile CA.cer -verbose -purpose smimesign text.cer
error 26 at 0 depth lookup:unsupported certificate purpose
>From man:
x509(1)
CERTIFICATE EXTENSIONS
The extended key usage extension places additional restrictions on the certificate
uses. If this extension is present (whether critical or not) the key can only be used
for the purposes specified.
Why?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
