Accorind to RFC 2459: If the Extended key usage field is flagged critical, the certificate MUST be used only for one of the purposes indicated. If the extension is flagged non-critical, then it indicates the intended purpose or purposes of the key, and may be used in finding the correct key/certificate of an entity that has multiple keys/certificates. It is an advisory field and does not imply that usage of the key is restricted by the certification authority to the purpose indicated. Certificate using applications may nevertheless require that a particular purpose be indicated in order for the certificate to be acceptable to that application. I have a certificate (generated with MS Certificate Services W2K). Certificate: Data: Version: 3 (0x2) Serial Number: 2c:fd:65:6e:00:00:00:00:01:79 Signature Algorithm: sha1WithRSAEncryption ..bla-bla... X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication Extended key usage in not flagged as critical. But I can't use them for smime encoding >openssl verify -CAfile CA.cer -verbose -purpose smimesign text.cer error 26 at 0 depth lookup:unsupported certificate purpose >From man: x509(1) CERTIFICATE EXTENSIONS The extended key usage extension places additional restrictions on the certificate uses. If this extension is present (whether critical or not) the key can only be used for the purposes specified. Why?
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]