• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 417
  • Last Modified:

Signed Certificate

When a certificate is signed, what value is placed into the Certificate purpose field, how does that work
Anthony Lucia
Anthony Lucia
2 Solutions
Pasha KravtsovSupport EngineerCommented:
A digital certificate is a part of a public key infrastructure, which is a system of digital certificates, certificate authorities, and other registration authorities that verify and authenticate the validity of each party involved in an electronic transaction through the use of public key cryptography. A certification authority issues certificates and each certificate has a set of fields that contain data, such as subject (the entity to which the certificate is issued), validity dates (when the certificate is valid), issuer (the entity that issued the certificate), and a public key
I am assuming you mean the "Key Usage" field and you are also taking about a certificate used for signing a document or code etc ?

If so then the Key Usage is usually:
KeyUsage = 0xa0

Similar to KeySpec field. This value indicates that this certificate can be used for both encryption and signing.

More details on various certificate fields :
Dave HoweSoftware and Hardware EngineerCommented:
The syntax is a bit complex, but the definitive definition for certs is currently RFC 2459 -

     id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }
      KeyUsage ::= BIT STRING {
           digitalSignature        (0),
           nonRepudiation          (1),
           keyEncipherment         (2),
           dataEncipherment        (3),
           keyAgreement            (4),
           keyCertSign             (5),
           cRLSign                 (6),
           encipherOnly            (7),
           decipherOnly            (8) }

If the cert is also an issuing (CA) cert, you also get:

   BasicConstraints ::= SEQUENCE {
        cA                      BOOLEAN DEFAULT FALSE,
        pathLenConstraint       INTEGER (0..MAX) OPTIONAL }

and may also get to see:

      id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 }

      NameConstraints ::= SEQUENCE {
           permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
           excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }

      GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree

      GeneralSubtree ::= SEQUENCE {
           base                    GeneralName,
           minimum         [0]     BaseDistance DEFAULT 0,
           maximum         [1]     BaseDistance OPTIONAL }

      BaseDistance ::= INTEGER (0..MAX)

which allows a root CA to limit what a subordinate CA can issue (so, for example, Google's subca could be restricted to issuing *.google.com certs)

if you want to experiment, much of this is documented in the openssl.conf file (in template) but you will find it easier to play with a copy of XCA (Documentation is, confusingly, HERE)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now