What are the possible Certificate Usages ?


A certificate may have one or more several usages. This articles list them and shows you how to discover the usage also known as certificat purpose.

The usage (key usage and extended key usage) are stored in the certificate as extensions.


Key Usage

A certificate can be used for one or more of the below usage category known as KeyUsage (KU, or id-ce-keyUsage) 1) :

Name Identifier Name for Human Description
digitalSignature Digital signature To add a signature to a message
nonRepudiation non-repudation - the message cannot be denied from having been sent
keyEncipherment To encrypt a key
dataEncipherment To encrypt data
keyAgreement For key exchange
keyCertSign Certificate signing To signed a certificate
cRLSign CRL signing To sign a certificate revocation list (crl)
encipherOnly and decipherOnly To only encrypt or decrypt

The usage name is the name used by openssl.

The key usage usage is explained in the x509 specification section-

Extended Key Usage

The ExtendedKeyUsage (or id-ce-extKeyUsage) 2) is another field that defines more precisely the keyUsage by defining the purpose.

The list below is non-exhaustive 3).

Name Object ID (OID) 4) Description
serverAuth id-kp-serverAuth SSL/TLS Web Server Authentication.
clientAuth id-kp-clientAuth SSL/TLS Web Client Authentication
codeSigning id-kp-codeSigning Code signing (Signing of downloadable executable code)
emailProtection id-kp-emailProtection E-mail Protection (S/MIME)
timeStamping Trusted Timestamping (Binding the hash of an object to a time)
msCodeInd Microsoft Individual Code Signing (authenticode)
msCodeCom Microsoft Commercial Code Signing (authenticode)
msCTLSign Microsoft Trust List Signing
msSGC Microsoft Server Gated Crypto
msEFS Microsoft Encrypted File System
nsSGC Netscape Server Gated Crypto

The key usage usage is explained in the section- of the x509 specification 5) where you can see also which key usage are also required using them.


The key usage and extended key usage are stored in the certificate as extensions.


This is a snaphsot of gpg where we can see the usage.


With portecle, you can see the keyUsage and extendedKeyUsage in the extensions.

Powered by ComboStrap