本文介绍了KeyUsage扩展的相关变量及其在不同证书类型中的默认配置规则,包括客户端、服务器及CA证书的使用限制。KeyUsage扩展定义了如digitalSignature、nonRepudiation等变量,并通过公式规定了合法的设置组合。
KeyUsage Extension
原文网址:http://pic.dhe.ibm.com/infocenter/seas/v2r4m1/index.jsp?topic=%2Fcom.ibm.help.seasimplementationguide.doc%2FSEAS_KeyUsage_Extension.html
The KeyUsage extension defines the following variables, which correlate directly to the bit fields defined in RFC 3280 for the extension:
- digitalSignature
- nonRepudiation
- keyEncipherment
- dataEncipherment
- keyAgreement
- keyCertSign
- cRLSign
- encipherOnly
- decipherOnly
Because the KeyUsage extension is a common area for problems with interoperability, the default formulas for KeyUsage specify a minimal set of rules that demonstrate the mechanics of the feature:
- Client-KeyUsage: !({encipherOnly} && {decipherOnly})
- Server-KeyUsage: !({encipherOnly} && {decipherOnly})
- CA-KeyUsage: !({encipherOnly} && {decipherOnly}) && {keyCertSign}
The first two rules state that it is not legal to set both the encipherOnly and decipherOnly bits in the same certificate. The third rule adds that CA certificates must include the keyCertSign bit. Replace or modify the expressions to implement an application-specific policy for the key usage setting.
扫一扫
1299
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
