On Fri, Jun 27, 2003, Jeremy Wiebe wrote: > Hello all, > > I've been digging around in the openssl-users mailing list looking for a > listing of available X.509 extensions that are valid. I googled a bit for > them and can't seem to find a definitive listing of extensions that OpenSSL > supports. >
The FAQ points you to doc/openssl.txt. > Background: We are using OpenSSL to create a Certificate Authority. It will > issue certificates to clients in a mostly private environment to be used > strictly for the clients to identify themselves to a server. Currently I've > got everything working, but when I view the generated certificates in > Windows it says that the certificate has "All application policies" and the > Key Usage is set to "Digital Signature, Key Encipherment, Data Encipherment > (b0)". > > My question, is this ok? or should I be limiting these certificates more? > Depends on what you want to do with them. MS software typically uses the extended key usage extension to determine which usages to permit and then allows the user installing the certificate to limit usage further. If you look at some of the standard root CAs (e.g. Thawte Freemail) you'll see that only a couple of a large list of potential purposes are checked. Where do you get the message "All application policies" BTW? I've not noticed that one before. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
