Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
X.509
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===Extensions informing a specific usage of a certificate=== {{IETF RFC|5280}} (and its predecessors) defines a number of certificate extensions which indicate how the certificate should be used. Most of them are arcs from the <code>joint-iso-ccitt(2) ds(5) id-ce(29)</code> OID. Some of the most common, defined in section 4.2.1, are: * Basic Constraints, <code>{ id-ce 19 }</code>,{{Ref RFC|5280|rsection=4.2.1.9}} are used to indicate whether the certificate is a CA certificate and can certify or issue other certificates. A constraint can be marked as critical. If a constraint is marked critical, then an agent must fail to process the certificate if the agent does not understand the constraint. An agent can continue to process a non-critical constraint it does not understand. * Key Usage, <code>{ id-ce 15 }</code>,{{Ref RFC|5280|rsection=4.2.1.3}} provides a bitmap specifying the cryptographic operations which may be performed using the public key contained in the certificate; for example, it could indicate that the key should be used for signatures but not for encipherment. * Extended Key Usage, <code>{ id-ce 37 }</code>,{{Ref RFC|5280|rsection=4.2.1.12}} is used, typically on a leaf certificate, to indicate the purpose of the public key contained in the certificate. It contains a list of OIDs, each of which indicates an allowed use. For example, <code>{ id-pkix 3 1 }</code> indicates that the key may be used on the server end of a TLS or SSL connection; <code>{ id-pkix 3 4 }</code> indicates that the key may be used to secure email. In general when using {{IETF RFC| 5280}}, if a certificate has several extensions restricting its use, all restrictions must be satisfied for a given use to be appropriate. The <nowiki>RFC</nowiki> gives the specific example of a certificate containing both keyUsage and extendedKeyUsage: in this case, both must be processed and the certificate can only be used if both extensions are coherent in specifying the usage of a certificate. For example, [[Network Security Services|NSS]] uses both extensions to specify certificate usage.<ref>{{cite web|url=https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/nss_tech_notes/nss_tech_note3|title=All About Certificate Extensions|date=9 May 2002|publisher=Mozilla|access-date=10 September 2020|author=Nelson B Boyard|archive-date=15 December 2018|archive-url=https://web.archive.org/web/20181215123125/https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/nss_tech_notes/nss_tech_note3|url-status=dead}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)