crypto:certificate:usage

About

A certificate may have one or more several usages. This articles list them and show you how to discover the usage also known as certificat purpose.

The usage (key_usage and extended_key_usage) are stored in the certificate as extensions.

A certificate can be used for one or more of the below usage category known as KeyUsage (KU, or id-ce-keyUsage) ¹⁾ :

Name Identifier	Name for Human	Description
digitalSignature	Digital signature	To add a signature to a message
nonRepudiation		non-repudation - the message cannot be denied from having been sent
keyEncipherment		To encrypt a key
dataEncipherment		To encrypt data
keyAgreement		For key exchange
keyCertSign	Certificate signing	To signed a certificate
cRLSign	CRL signing	To sign a certificate revocation list (crl)
encipherOnly and decipherOnly		To only encrypt or decrypt

The usage name is the name used by openssl.

The key usage usage is explained in the x509 specification section-4.2.1.3.

The ExtendedKeyUsage (or id-ce-extKeyUsage) ²⁾ is another field that defines more precisely the keyusage by defining the purpose.

The list below is non-exhaustive ³⁾.

Name	Object ID (OID) ⁴⁾	Description
serverAuth	id-kp-serverAuth	SSL/TLS Web Server Authentication.
clientAuth	id-kp-clientAuth	SSL/TLS Web Client Authentication
codeSigning	id-kp-codeSigning	Code signing (Signing of downloadable executable code)
emailProtection	id-kp-emailProtection	E-mail Protection (S/MIME)
timeStamping		Trusted Timestamping (Binding the hash of an object to a time)
msCodeInd		Microsoft Individual Code Signing (authenticode)
msCodeCom		Microsoft Commercial Code Signing (authenticode)
msCTLSign		Microsoft Trust List Signing
msSGC		Microsoft Server Gated Crypto
msEFS		Microsoft Encrypted File System
nsSGC		Netscape Server Gated Crypto

The key usage usage is explained in the section-4.2.1.3 of the x509 specification ⁵⁾ where you can see also which key_usage are also required using them.