Solved

Signed Certificate

Posted on 2014-03-28
3
385 Views
Last Modified: 2014-03-31
When a certificate is signed, what value is placed into the Certificate purpose field, how does that work
0
Comment
Question by:Anthony Lucia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 5

Accepted Solution

by:
Pasha Kravtsov earned 250 total points
ID: 39961897
A digital certificate is a part of a public key infrastructure, which is a system of digital certificates, certificate authorities, and other registration authorities that verify and authenticate the validity of each party involved in an electronic transaction through the use of public key cryptography. A certification authority issues certificates and each certificate has a set of fields that contain data, such as subject (the entity to which the certificate is issued), validity dates (when the certificate is valid), issuer (the entity that issued the certificate), and a public key
0
 
LVL 29

Assisted Solution

by:becraig
becraig earned 250 total points
ID: 39961901
I am assuming you mean the "Key Usage" field and you are also taking about a certificate used for signing a document or code etc ?

If so then the Key Usage is usually:
KeyUsage = 0xa0
      

Similar to KeySpec field. This value indicates that this certificate can be used for both encryption and signing.


More details on various certificate fields :
http://technet.microsoft.com/en-us/library/cc736326%28v=ws.10%29.aspx
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39966057
The syntax is a bit complex, but the definitive definition for certs is currently RFC 2459 -

     id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }
      KeyUsage ::= BIT STRING {
           digitalSignature        (0),
           nonRepudiation          (1),
           keyEncipherment         (2),
           dataEncipherment        (3),
           keyAgreement            (4),
           keyCertSign             (5),
           cRLSign                 (6),
           encipherOnly            (7),
           decipherOnly            (8) }

If the cert is also an issuing (CA) cert, you also get:

   BasicConstraints ::= SEQUENCE {
        cA                      BOOLEAN DEFAULT FALSE,
        pathLenConstraint       INTEGER (0..MAX) OPTIONAL }

and may also get to see:

      id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 }

      NameConstraints ::= SEQUENCE {
           permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
           excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }

      GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree

      GeneralSubtree ::= SEQUENCE {
           base                    GeneralName,
           minimum         [0]     BaseDistance DEFAULT 0,
           maximum         [1]     BaseDistance OPTIONAL }

      BaseDistance ::= INTEGER (0..MAX)

which allows a root CA to limit what a subordinate CA can issue (so, for example, Google's subca could be restricted to issuing *.google.com certs)

if you want to experiment, much of this is documented in the openssl.conf file (in template) but you will find it easier to play with a copy of XCA (Documentation is, confusingly, HERE)
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
Part Two of the two-part Q&A series with MalwareTech.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question