Generate Certification with the option key usage

How to generate the cert with the key usage parameter?

I have generate cert successfully but the key usage is empty.

image

Anyway to make the cert with keyusage= keyEncipherment ?

By RFC X509,
KeyUsage ::= BIT STRING {
digitalSignature (0),
nonRepudiation (1),
keyEncipherment (2),
dataEncipherment (3),
keyAgreement (4),
keyCertSign (5),
cRLSign (6),
encipherOnly (7),
decipherOnly (8) }

Let's Encrypt certificates actually do have the "Key Encipherment" key usage set.

Is your question Let's Encrypt related?

It seems ECDSA can't have the Key Encipherment key usage I learned today, so that might be the reason.

7 Likes

RSA certificates have Digital Signature and Key Encipherment.
ECDSA certificates only have Digital Signature, because as the thread Osiris linked above says, ECDSA isn't appropriate for encryption.

Those certificates should work just fine for TLS, which is what the Extended Key Usages indicate the certificates are for.

What do you need the key usage keyEncipherment for? Something non-TLS?

The CA/Browser forum has recently voted on a new ballot which transitions having both Digital Signature and Key Encipherment on the same certificate is NOT RECOMMENDED:

Subscribers MAY wish to ensure key separation to limit the risk from such legacy protocols, and thus a CA MAY issue a Subscriber certificate that only asserts the keyEncipherment bit. For most Subscribers, the digitalSignature bit is sufficient, while Subscribers that want to mix insecure and secure ciphersuites with the same algorithm may choose to assert both digitalSignature and keyEncipherment within the same certificate, although this is NOT RECOMMENDED.

Since that's NOT RECOMMENDED, Let's Encrypt may at some point begin the process of removing keyEncipherment (of course, with plenty of warning). So I want to know what uses of keyEncipherment may be around.

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.