[openssl-users] keyusage digitalSignature in CA certs
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Thu Aug 17 13:32:39 UTC 2017
AFAIK it must.
Regards,
Uri
Sent from my iPhone
> On Aug 17, 2017, at 09:21, Robert Moskowitz <rgm at htt-consult.com> wrote:
>
> Should digitalSignature be included in keyusage in CA certs?
>
>
> https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html
>
> Includes it.
>
> https://stackoverflow.com/questions/21297139/how-do-you-sign-certificate-signing-request-with-your-certification-authority/21340898#21340898
>
> Does not include it.
>
> It seems to make a root or intermediate CA be able to have more purposes than it should? e.g.
>
> SSL client : Yes
> SSL server : Yes
> S/MIME signing : Yes
>
> So which is the right for a CA's key usage?
>
> thanks
>
> Bob
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4223 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170817/6c13267a/attachment-0001.bin>
More information about the openssl-users
mailing list