Could the ou name field cause a mismatch error in authenticating users in any way? Also I was told that the ou is not part of the cert. huh??? I assume that they are telling me that the ou part is not part of the validating process. Does this sound right?
When issuing mail certs to users, what are the most important fields to really pay attention to?
Thanks for your help.
I was reading your previous post about extension settings:
"generally, the extensions are meant to restrict the usage of the certificate.
If an extension is missing, it is assumed to "allow all".
But your users may reject to accept a root CA that authorizes for everything.
But at least the basic constraints should be there."
Do I understand correctly that if the settings are not set to its uses it could cause problems? For example, if set this way;
Extensions ==>certificate key usage==>
Not Critical <-- could this cause a problem?
_if_ you set >certificate key usage< you _must_ set it correctly.
"Correctly" is defined by the purpose of the certificate, how you want to use it.
Maybe you want to read:
"critical" generally means to the certificate interpreter like mozilla:
"If you don't understand this extension, reject the certificate"
Otherwise, the Browser/client whatever just evaluates and interprets the extensions
it knows about.
with "users" I meant humans, that could reject to install a root certificate
allowing to sign everything.
Thanks for the read and explanation. Helpful. Question, if any part of the extensions give a "unsupported extension" error I am going to have a problem even if critical is marked or not. Right?
The reason for asking, I was looking at an option to view info about a user and certs (on the server)and saw what might be the problem.
x509v3 Basic constraints:
Log in to post a comment.