5

I would like to restrict the X509 certificate for a site to be used strictly for a web service, as opposed to code signing or certificate signing.

Which basicConstraints and keyUsage usage attributes would restrict the use of the certificate for other purpose than for web service.

Mircea Vutcovici
  • 181
  • 1
  • 6
  • This question is related to http://security.stackexchange.com/a/68514/1577 The problem is that I do not fully understand the answer, and the answer is for client certificates as opposed to server certificates. – Mircea Vutcovici Dec 02 '16 at 18:48
  • The answer should be in RFC5280, but my mind can not read it. – Mircea Vutcovici Dec 02 '16 at 18:50

1 Answers1

3

From GlobalSign: Code Signing FAQ:

Where an SSL certificate for a website would contain an extended key usage of Server Authentication showing it can be used to identify a server, a code signing certificate has an extended key usage of Code Signing to indicate it may be used to sign code.

Thus for code signing you need an extended key usage of Code Signing while for a web server instead a key usage of Server Authentication. And for certificate signing the basic constraints would need to allow the certificate to be used as a CA. By creating certificates which differ in these settings and also have these settings marked as critical so that they are not ignored you can get the appropriate restrictions.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • Hi Steffen, I am interested only for the certificates used for a website. I would like to make is as secure as possible. E.g. if it gets compromised, I want to make sure it will not be used to sign orher certificates or to sign a software. – Mircea Vutcovici Dec 05 '16 at 06:00
  • @MirceaVutcovici: to cite myself: *"...while for a web server instead a key usage of Server Authentication...By creating certificates which differ in these settings and also have these settings marked as critical so that they are not ignored you can get the appropriate restrictions"*. Is this is not what you were asking in your comment then I don't understand it. – Steffen Ullrich Dec 05 '16 at 06:14