[openssl-users] keyusage digitalSignature in CA certs

Robert Moskowitz rgm at htt-consult.com
Thu Aug 17 13:20:52 UTC 2017

Should digitalSignature be included in keyusage in CA certs?


Includes it.


Does not include it.

It seems to make a root or intermediate CA be able to have more purposes 
than it should?  e.g.

SSL client : Yes
SSL server : Yes
S/MIME signing : Yes

So which is the right for a CA's key usage?



More information about the openssl-users mailing list