Certificate Profile and Key usage

2013-04-09
2013-04-09
  • Asteroid459
    Asteroid459
    2013-04-09

    I've created a "signature" profile certificate, with the following key usage set:
    Key usage = use + critical
    Digital signature
    Non repudiation
    Key encipherment

    but when I request and import certificate in my Mac OS Keystore, when I click on private key it says:
    key usage: Any. and it appears I can use this certificat to sign but also encrypt messages.
    it should be written: key usage: sign, non repudiation...
    Is there a way to enforce key usage policy ? Or something Ive missed ?

     
  • Asteroid459
    Asteroid459
    2013-04-09

    Well, Ive got the following settings with extended key usage:
    Use: checked
    Critical: unchecked
    selection: Client authentication, code signing, email protection, SSH client.
    And that's all. is there something I should change in this configuration?

     
  • Wll that's pretty much everything. So your certificate is useble for everything, and MacOS present it, not as technical parameters, but what MacOS thinks your certificate is usable for. If you want to limit the usage, you should limit it using Extended Key Usage.

    Cheers,
    Tomas

     
  • Asteroid459
    Asteroid459
    2013-04-09

    Hi, thanks for the advice, but there's something that I don't get:
    options in "extended key" usage are different than "Key usage". what options would I need to choose if I want to emit a certificate only for signing for instance ?

    Cheers,

     
  • Read up on RFCs and standards for key usage and extended key usage.

    For extended key usage the question is signing of what?

    For normal key usage if you only want document signing, try to only use non-repudiation.
    But in the end it all depends on the applications you use, unfortunately there are no easy answers, and no frozen rules. What is your application, ask that application/vendor what key usages it requires.