I've created a "signature" profile certificate, with the following key usage set:
Key usage = use + critical
but when I request and import certificate in my Mac OS Keystore, when I click on private key it says:
key usage: Any. and it appears I can use this certificat to sign but also encrypt messages.
it should be written: key usage: sign, non repudiation...
Is there a way to enforce key usage policy ? Or something Ive missed ?
Did you look at Extended Key Usage?
PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact email@example.com for more information.
Well, Ive got the following settings with extended key usage:
selection: Client authentication, code signing, email protection, SSH client.
And that's all. is there something I should change in this configuration?
Wll that's pretty much everything. So your certificate is useble for everything, and MacOS present it, not as technical parameters, but what MacOS thinks your certificate is usable for. If you want to limit the usage, you should limit it using Extended Key Usage.
Hi, thanks for the advice, but there's something that I don't get:
options in "extended key" usage are different than "Key usage". what options would I need to choose if I want to emit a certificate only for signing for instance ?
Read up on RFCs and standards for key usage and extended key usage.
For extended key usage the question is signing of what?
For normal key usage if you only want document signing, try to only use non-repudiation.
But in the end it all depends on the applications you use, unfortunately there are no easy answers, and no frozen rules. What is your application, ask that application/vendor what key usages it requires.