?
Solved

Signed Certificate

Posted on 2014-03-28
3
Medium Priority
?
413 Views
Last Modified: 2014-03-31
When a certificate is signed, what value is placed into the Certificate purpose field, how does that work
0
Comment
Question by:Anthony Lucia
3 Comments
 
LVL 5

Accepted Solution

by:
Pasha Kravtsov earned 1000 total points
ID: 39961897
A digital certificate is a part of a public key infrastructure, which is a system of digital certificates, certificate authorities, and other registration authorities that verify and authenticate the validity of each party involved in an electronic transaction through the use of public key cryptography. A certification authority issues certificates and each certificate has a set of fields that contain data, such as subject (the entity to which the certificate is issued), validity dates (when the certificate is valid), issuer (the entity that issued the certificate), and a public key
0
 
LVL 29

Assisted Solution

by:becraig
becraig earned 1000 total points
ID: 39961901
I am assuming you mean the "Key Usage" field and you are also taking about a certificate used for signing a document or code etc ?

If so then the Key Usage is usually:
KeyUsage = 0xa0
      

Similar to KeySpec field. This value indicates that this certificate can be used for both encryption and signing.


More details on various certificate fields :
http://technet.microsoft.com/en-us/library/cc736326%28v=ws.10%29.aspx
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39966057
The syntax is a bit complex, but the definitive definition for certs is currently RFC 2459 -

     id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }
      KeyUsage ::= BIT STRING {
           digitalSignature        (0),
           nonRepudiation          (1),
           keyEncipherment         (2),
           dataEncipherment        (3),
           keyAgreement            (4),
           keyCertSign             (5),
           cRLSign                 (6),
           encipherOnly            (7),
           decipherOnly            (8) }

If the cert is also an issuing (CA) cert, you also get:

   BasicConstraints ::= SEQUENCE {
        cA                      BOOLEAN DEFAULT FALSE,
        pathLenConstraint       INTEGER (0..MAX) OPTIONAL }

and may also get to see:

      id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 }

      NameConstraints ::= SEQUENCE {
           permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
           excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }

      GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree

      GeneralSubtree ::= SEQUENCE {
           base                    GeneralName,
           minimum         [0]     BaseDistance DEFAULT 0,
           maximum         [1]     BaseDistance OPTIONAL }

      BaseDistance ::= INTEGER (0..MAX)

which allows a root CA to limit what a subordinate CA can issue (so, for example, Google's subca could be restricted to issuing *.google.com certs)

if you want to experiment, much of this is documented in the openssl.conf file (in template) but you will find it easier to play with a copy of XCA (Documentation is, confusingly, HERE)
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question