3

Do web servers reject certificates that do not have an extended key usage with TLS WWW Client Authentication set (if client authentication is required)? Similarily, do Browsers reject certificates that do not have an extended key usage with TLS WWW Server Authentication set? The Extended Key Usage is often flagged as non-critical so theoretically implementations MAY ignore it but the question is whether most implementations require an extended key usage to be present?

Also... where exactly is specified what these two key usages mean and what implementations must do with it? https://www.rfc-editor.org/rfc/rfc5280#page-44 does not really specify the meaning behind these key usages (except for what the name TLS WWW Client/Server Authentication already tells you).

Community
  • 1
mroman
  • 555
  • 3
  • 9
  • A relier should never ignore an extension it understands; noncritical means if you _don't_ understand it you can ignore it and still accept the cert. – dave_thompson_085 Dec 30 '17 at 01:46

1 Answers1

6

For client certificates, see this post. It contains evidence that the NSS library invalidates client certificates which do not follow RFC 5280, Section 4.2.1.12.:

This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension. In general, this extension will appear only in end entity certificates. [..]

If the extension is present, then the certificate MUST only be used for one of the purposes indicated. [..] Certificate using applications MAY require that the extended key usage extension be present and that a particular purpose be indicated in order for the certificate to be acceptable to that application.

For server certificates, it is not that clear. The CA/Browser Forum Baseline Requirements do not specify a policy regarding these usages for end-entity certificates.

According to the above RFC excerpt, applications can optionally impose requirements on the EKU extension in certificates. I can only think of OpenVPN as an example (when using X.509 certificates for authentication). With OpenVPN, the client and server certificates are usually signed by a single CA. By using the TLS Web Client Authentication or TLS Web Server Authentication EKU, it can prevent clients from impersonating servers using their own client certificate.

As for the meaning behind these key usages, the name is pretty self-describing. To understand the background, read Section 2 (Requirements and Assumptions) of RFC 5280.

Community
  • 1
Lekensteyn
  • 5,958
  • 5
  • 38
  • 62