Discuss this help topic in SecureBlackbox Forum

Check certificate key usage

While technically X.509 certificates can be used to sign or encrypt anything you can think of, CAs often limit the scope of the certificates they issue. For instance, a CA may only allow the certificate to be used for TLS server authentication, and not for any other purpose including data signing. This is done by inclusion of a Key Usage extension, which works like a simplified use policy. It is important that a validator checks the contents of the Key Usage extension of the certificate and ensures that the Key Usage includes the purpose the certificate serves.

By default, the TElX509CertificateValidator component checks the contents of the Key Usage extension when validating a chain This check can be switched off if there's a need to validate a buggy chain which uses Key Usage incorrectly. However, in certain cases you might wish to check the contents of this extension manually.

First, make sure that the extension is included by checking the ceKeyUsage flag in TElX509Certificate.Extensions.Included. If the flag is off, the extension is not included to the certificate by the CA. The intended use for such certificate is unlimited. If the extension is there, you can access the corresponding extension object via TElX509Certificate.Extensions.KeyUsage property. The object exposes a collection of boolean properties, each one indicating a particular usage:

  • DigitalSignature — general digital signing, including that within higher-level entity authentication, and data authentication mechanisms.
  • NonRepudiation — digital signing within a non-repudiation service.
  • KeyEncipherment — key transport (e.g. RSA key exchange).
  • DataEncipherment — data encryption (other than that for transporting keys).
  • KeyAgreement — key exchange or agreement (e.g. DH or ECDH certificate).
  • KeyCertSign — certificate signing (CA).
  • CRLSign — CRL signing (CA/status service).
  • EncipherOnly, DecipherOnly — only make sense if the KeyAgreement flag is set. Indicate which operations with the key are allowed within the key agreement routine.

Some CAs also get use of the Extended Key Usage extension which allows certificate issuers to provide custom usages in form of OID (object identifiers). This extension is represented by the TElX509Certificate.Extensions.ExtendedKeyUsage object, provided that the ceExtendedKeyUsage flag in TElX509Certificate.Extensions.Included is set.

Some pre-defined standard extensions are published as boolean properties of the TElExtendedKeyUsageExtension class. Widely used custom usage extensions: ServerAuthentication, ClientAuthentication, CodeSigning, EmailProtection, TimeStamping, and OCSPSigning, are available as the corresponding properties of TElExtendedKeyUsageExtension. Other custom usage extensions are defined by its CustomUsages[] property.

Certificate-related How To articles

Discuss this help topic in SecureBlackbox Forum