On Tue, Dec 04, 2007, Eljas Alakulppi wrote: > > I would like to seprate my client signing CA and server signing CA. I would > also like them to force their purpose, so if someone gets a hold of my > client signing CA, they can't use it to sign server certificates and thus > cannot claim they are a server on which clients can trust. > > Is this possible? The standard Windows-included public CA certificates seem > to indicate this is possible (for example VeriSign's CAs include following > purposes "Proves your identity to remote computer" and "Ensures the > identity of a remote computer". I assume they refer client and server > certificates). >
Well in some cases the CA trust settings are hard coded defaults in the Windows certificate store. You *may* be able to achieve this by setting the Extended Key Usage (EKU) extension to an appropriate value (client auth or server auth) but this interpretation in CA certificates is far from universal. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
