Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Signed Certificate

Posted on 2014-03-28
3
Medium Priority
?
409 Views
Last Modified: 2014-03-31
When a certificate is signed, what value is placed into the Certificate purpose field, how does that work
0
Comment
Question by:Anthony Lucia
3 Comments
 
LVL 5

Accepted Solution

by:
Pasha Kravtsov earned 1000 total points
ID: 39961897
A digital certificate is a part of a public key infrastructure, which is a system of digital certificates, certificate authorities, and other registration authorities that verify and authenticate the validity of each party involved in an electronic transaction through the use of public key cryptography. A certification authority issues certificates and each certificate has a set of fields that contain data, such as subject (the entity to which the certificate is issued), validity dates (when the certificate is valid), issuer (the entity that issued the certificate), and a public key
0
 
LVL 29

Assisted Solution

by:becraig
becraig earned 1000 total points
ID: 39961901
I am assuming you mean the "Key Usage" field and you are also taking about a certificate used for signing a document or code etc ?

If so then the Key Usage is usually:
KeyUsage = 0xa0
      

Similar to KeySpec field. This value indicates that this certificate can be used for both encryption and signing.


More details on various certificate fields :
http://technet.microsoft.com/en-us/library/cc736326%28v=ws.10%29.aspx
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39966057
The syntax is a bit complex, but the definitive definition for certs is currently RFC 2459 -

     id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }
      KeyUsage ::= BIT STRING {
           digitalSignature        (0),
           nonRepudiation          (1),
           keyEncipherment         (2),
           dataEncipherment        (3),
           keyAgreement            (4),
           keyCertSign             (5),
           cRLSign                 (6),
           encipherOnly            (7),
           decipherOnly            (8) }

If the cert is also an issuing (CA) cert, you also get:

   BasicConstraints ::= SEQUENCE {
        cA                      BOOLEAN DEFAULT FALSE,
        pathLenConstraint       INTEGER (0..MAX) OPTIONAL }

and may also get to see:

      id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 }

      NameConstraints ::= SEQUENCE {
           permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
           excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }

      GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree

      GeneralSubtree ::= SEQUENCE {
           base                    GeneralName,
           minimum         [0]     BaseDistance DEFAULT 0,
           maximum         [1]     BaseDistance OPTIONAL }

      BaseDistance ::= INTEGER (0..MAX)

which allows a root CA to limit what a subordinate CA can issue (so, for example, Google's subca could be restricted to issuing *.google.com certs)

if you want to experiment, much of this is documented in the openssl.conf file (in template) but you will find it easier to play with a copy of XCA (Documentation is, confusingly, HERE)
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question