What are the possible usages of a cryptographic certificate?

Certificate Validity Period Not Before Not After Portecle

About

A certificate may have one or more several usages. This articles list them and show you how to discover the usage also known as certificat purpose.

The usage (key_usage and extended_key_usage) are stored in the certificate as extensions.

List

Key Usage

A certificate can be used for one or more of the below usage category known as KeyUsage (KU, or id-ce-keyUsage) 1) :

Name Identifier Name for Human Description
digitalSignature Digital signature To add a signature to a message
nonRepudiation non-repudation - the message cannot be denied from having been sent
keyEncipherment To encrypt a key
dataEncipherment To encrypt data
keyAgreement For key exchange
keyCertSign Certificate signing To signed a certificate
cRLSign CRL signing To sign a certificate revocation list (crl)
encipherOnly and decipherOnly To only encrypt or decrypt

The usage name is the name used by openssl.

The key usage usage is explained in the x509 specification section-4.2.1.3.

Extended Key Usage

The ExtendedKeyUsage (or id-ce-extKeyUsage) 2) is another field that defines more precisely the keyusage by defining the purpose.

The list below is non-exhaustive 3).

Name Object ID (OID) 4) Description
serverAuth id-kp-serverAuth SSL/TLS Web Server Authentication.
clientAuth id-kp-clientAuth SSL/TLS Web Client Authentication
codeSigning id-kp-codeSigning Code signing (Signing of downloadable executable code)
emailProtection id-kp-emailProtection E-mail Protection (S/MIME)
timeStamping Trusted Timestamping (Binding the hash of an object to a time)
msCodeInd Microsoft Individual Code Signing (authenticode)
msCodeCom Microsoft Commercial Code Signing (authenticode)
msCTLSign Microsoft Trust List Signing
msSGC Microsoft Server Gated Crypto
msEFS Microsoft Encrypted File System
nsSGC Netscape Server Gated Crypto

The key usage usage is explained in the section-4.2.1.3 of the x509 specification 5) where you can see also which key_usage are also required using them.

See

The key_usage and extended_key_usage are stored in the certificate as extensions.

gpg

This is a snaphsot of gpg where we can see the usage.

Certificate Usage

PorteCle

With portecle, you can see the keyUsage and extendedKeyUsage in the extensions.

Certificate Key Usage And Extended Porte Cle

1)
KeyUsage specification
2) , 4) , 5)
ExtendedKeyUsage specification
3)
Extended-Key-Usage in Openssl




Discover More
Certificate Validity Period Not Before Not After Portecle
CA Certificate

A CA certificate is a certificate used by a certificate authority to sign certificate. In the chain, it's the Root certificate or the intermediate certificates. Most organizations create an intermediate...
Protecle Certificate Extensions
Certificates - Extensions (X509v3 extensions)

extensions are key values that are part of a certificate. They are also known as the X509v3 extensions because they are defined in the x509 certificate format. The most known and extension are: ...
Domain Validate Certificate
Domain Validated Certificates (DV)

Domain Validated certificates are server signed certificates where the ownership of the domain was checked. There is no identifying organizational information for these certificates and thus should never...
Web Site Certificate
How to enable SSL on a server (ie HTTPS on a web server) ?

This page shows you how to configure a certificate and a private key for a server in order to enable SSL or a web server (http) (ie web site) in order to enable https (ie HTTP over SSL).
Certificate Validity Period Not Before Not After Portecle
Identification Material - Certificate (or Public Key Certificate)

A certificate is a document which permits to define with certainty the owner of the private key (ensures that the party you are communicating with is whom you think.) because it's digitally signed A certificate...
Certification Chain Path Chrome Dev
Root Certificate

A root certificate is a CA certificate that is located at the top of the certificate chain. A root ca is a certificate authority certificate that is self signed. This example shows you how to create...
Card Puncher Data Processing
What is a Public Key Cryptography (known as Asymmetric Cipher) ?

(Public Key Cryptography|Asymmetric Cipher) Public key cryptography is a cryptographic system from the 70's that uses pairs of keys It's also known as: * asymmetric cryptography) * non-secret...
Public Key Crypto Pair Key Creation
What is a client certificate authentication ? (SSL/TLS Web)

Client certificate authentication is a certification based authentication mechanism where the client identifies itself to the server by sending a signed certificate. The server just needs to verify the...



Share this page:
Follow us:
Task Runner