With regard to this answer, I have a question about Key Usage in an SSL certificate.
Most SSL server certificates have a RSA key which is not restricted through a Key Usage extension, so you can use both "RSA" and "DHE_RSA" key types.
Where should I learn more?
Not all certificates use RSA, but most do. A few months ago, I scanned a lot of random IP addresses to find SSL servers, and out of 10147 certificate chains (from 16027 servers -- there is considerable chain reuse), only 9 of them used anything else than RSA (6 with DSA keys, 3 with GOST keys; no Diffie-Hellman, no ECDSA). This is more than market dominance; RSA has an almost monopoly on cryptographic algorithms for SSL servers.
(I should write a Web page somewhere with all the stats.)
Apart from the Key Usage extension, a few other extensions can be relevant; see this answer for details.
You should learn to use the "openssl" command-line tool (available for Windows, Linux, Mac OS X, etc.).
Type on the command line: (where mycert is your certificate)
openssl x509 -text -in mycert
This decodes all the fields in the certificate, and will list any restrictions.
No, it doesn't have to be RSA. You can select Diffie-Helmman instead when you create your certificate.
There are a wide variety of certificate uses. For example, you might want a certificate that can sign other certificates for the domain, so that you don't need to buy individual certificates from a CA, but can create them yourself.
