Re: [ssl-users] S-MIME/Netscape certificates

Thu, 12 Mar 1998 18:54:58 -0500 



Andrew W. Gray schrieb:

> J.R-
>
> chances are that Netscape communicator is looking at the nsCertType Extension within 
>the certificate.  This extension is used to define specific usage characteristics 
>attributed to the certificate. If  Communicator sees this extension it WILL apply 
>those usage characteristics for the cetrificate.  I believe that you need to generate 
>the certificate with the following bit string in order to get the usage that you 
>desire - S/Mime and client certificates:
>
> 0x10100000
>

the bits are:0 - SSL client
1 - SSL server
2 - S/MIME
3 - Object Signing
4 - reserved
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA

> This option is configurable within the ssleay.cnf file - look for "nsCertType"
> Another option is to make sure that this extension is ommitted from the certificate 
>- and if it is - Netscape products will allow the certificate to be used for pretty 
>much anything (CA, S/Mime, Client certs, server certs, etc)
>

for all applications except Object Signing

> I also believe that Netscape has a page that describes it's usage somewhere on there 
>web site describing what each bit flag is used for.
>

I don't have the URL, but the document is called "Netscape Certificate Extensions 
Communicator 4.0 Version".

Another thing to consider is that X.509v3 defines some standard certificate 
extensions. The relevant extension in your case is the keyUsage extension, which is 
used to limit the usage of the cert/key. The possible values are
digitalSignature - SSL Client, S/MIME Signing, Object Signing
keyEncipherment - SSL Server, S/MIME Encryption
keyCertSign - Certificate Signing

Note that extensions can be flagged critical or optional. If keyUsage is optional or 
not present, then the cert/key can be used for any type of operation.

Cheers,
Patrick

+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/  |
+-------------------------------------------------------------------------+

Reply via email to