What is the difference between the x.509 V3 extensions Basic Constraints and Key Usage to create a CA certificate?

后端 未结 2 1889
时光说笑
时光说笑 2021-02-13 01:39

These two actions seem to do the same:

  • using the Basic Constraints extension in a X.509 Certificate to signify that it is a CA certificate and
2条回答
  •  情歌与酒
    2021-02-13 02:09

    "Key Usage" defines what can be done with the key contained in the certificate. Examples of usage are: ciphering, signature, signing certificates, signing CRLs.

    "Basic Constraints" identifies if the subject of certificates is a CA who is allowed to issue child certificates.

    For a certificate that can be used to sign certificates, the info is in some sense duplicated:

    • X509v3 Basic Constraints: CA: TRUE --- Can sign certificates
    • X509v3 Key Usage: Key Cert Sign --- Can sign certificates

    But "Basic Constraints" will also specify the maximum depth of valid certification chain.

    Though it is duplicated, you need to specify both, according to RFC 3280 --- X.509. This is the relevant paragraph from the RFC (page 29):

    The keyCertSign bit is asserted when the subject public key is used for verifying a signature on public key certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (section 4.2.1.10) MUST also be asserted.

提交回复
热议问题