KeyUsage Extension The KeyUsage extension defines the following variables, which correlate directly

本文介绍了KeyUsage扩展的相关变量及其在不同证书类型中的默认配置规则,包括客户端、服务器及CA证书的使用限制。KeyUsage扩展定义了如digitalSignature、nonRepudiation等变量,并通过公式规定了合法的设置组合。

KeyUsage Extension

原文网址:http://pic.dhe.ibm.com/infocenter/seas/v2r4m1/index.jsp?topic=%2Fcom.ibm.help.seasimplementationguide.doc%2FSEAS_KeyUsage_Extension.html

The KeyUsage extension defines the following variables, which correlate directly to the bit fields defined in RFC 3280 for the extension:

  • digitalSignature
  • nonRepudiation
  • keyEncipherment
  • dataEncipherment
  • keyAgreement
  • keyCertSign
  • cRLSign
  • encipherOnly
  • decipherOnly

Because the KeyUsage extension is a common area for problems with interoperability, the default formulas for KeyUsage specify a minimal set of rules that demonstrate the mechanics of the feature:

  • Client-KeyUsage: !({encipherOnly} && {decipherOnly})
  • Server-KeyUsage: !({encipherOnly} && {decipherOnly})
  • CA-KeyUsage: !({encipherOnly} && {decipherOnly}) && {keyCertSign}

The first two rules state that it is not legal to set both the encipherOnly and decipherOnly bits in the same certificate. The third rule adds that CA certificates must include the keyCertSign bit. Replace or modify the expressions to implement an application-specific policy for the key usage setting.

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值