Key Usage of the certificate

hhiiro · December 11, 2022, 7:58am

Dear Let's Encrypt community members,

I am now confused about the usage of the certificate issued by Let's Encrypt, especially whether the certificate can be used to sign a PDF file.

If my understanding is correct, the following information is included in the certificate.

Key Usage: Critical, Digital Signature
Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication

I read a similar topic to my question ( X509 cert for signing files (digital signatures) ) and frequently asked questions, but the "Critical" keyword is not mentioned in the discussions.

Since "Critical" is appended in "Key Usage," all key usages other than "Digital Signature" are prohibited.
However, "Critical" does not appear in "Extended Key Usage," I understand that extended key usages other than TLS-related ones, such as code signing, are possible.

Am I correct, or am I missing some technical limitations?

Best regards,
hhiiro

rg305 · December 11, 2022, 8:05am

AFAIK, you can't use an LE cert to sign anything else.
Only to encrypt.

_az · December 11, 2022, 8:08am

I think your interpretation is probably right.

"Digital Signature" is critical, but would be appropriate for document signing. So you get a tick there.

Since the EKU extension is not critical, you get a tick there too.

In reality, I think software which deals with document signing and verification, will probably have its own trust stores and stricter requirements for EKUs.

system · January 10, 2023, 8:09am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.