[Openswan Users] X.509 key usage
Andreas Steffen
andreas.steffen at strongsec.net
Mon Jul 19 14:53:53 CEST 2004
The keyUsage and extendedKeyUsage flags are not checked by *swan.
An exception are the OCSP signing certificates introduced with
the X.509 patch version >= 1.5, where the OCSPSigning flag must be
mandatorily set in the extendedKeyUsage field.
Intermediate CA certificates sent via PKCS#7-wrapped certificate payloads
must have the CA basicContraints field set to TRUE in order to get
accepted.
Regards
Andreas
Gregor Bethlen wrote:
> Hello list,
>
> I wondered if OpenS/WAN refers to the keyUsage and extendedKeyUsage-Fields in
> X.509-certificate-extensions. I found nothing in readme.X509, and on an
> archived mailing-list-entry from FreeS/WAN it said, just the DN and the
> Public Key are used. (I hope, the signature gets proofed, though.) Since this
> mail was from somewhat 2001, I wondered, if the keyUsage gets checked by
> OpenS/WAN.
>
> Thanks for any answers,
>
> Gregor ____________________________________________________ Aufnehmen,
> abschicken, nah sein - So einfach ist WEB.DE Video-Mail:
> http://freemail.web.de/?mc=021200
=======================================================================
Andreas Steffen e-mail: andreas.steffen at strongsec.com
strongSec GmbH home: http://www.strongsec.com
Alter Zürichweg 20 phone: +41 1 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65
==========================================[strong internet security]===
More information about the Users
mailing list