KeyUsage Extension
原文网址:http://pic.dhe.ibm.com/infocenter/seas/v2r4m1/index.jsp?topic=%2Fcom.ibm.help.seasimplementationguide.doc%2FSEAS_KeyUsage_Extension.html
The KeyUsage extension defines the following variables, which correlate directly to the bit fields defined in RFC 3280 for the extension:
- digitalSignature
- nonRepudiation
- keyEncipherment
- dataEncipherment
- keyAgreement
- keyCertSign
- cRLSign
- encipherOnly
- decipherOnly
Because the KeyUsage extension is a common area for problems with interoperability, the default formulas for KeyUsage specify a minimal set of rules that demonstrate the mechanics of the feature:
- Client-KeyUsage: !({encipherOnly} && {decipherOnly})
- Server-KeyUsage: !({encipherOnly} && {decipherOnly})
- CA-KeyUsage: !({encipherOnly} && {decipherOnly}) && {keyCertSign}
The first two rules state that it is not legal to set both the encipherOnly and decipherOnly bits in the same certificate. The third rule adds that CA certificates must include the keyCertSign bit. Replace or modify the expressions to implement an application-specific policy for the key usage setting.