Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is the difference between the x.509 V3 extensions Basic Constraints and Key Usage to create a CA certificate?

Tags:

security

ssl

x509certificate

cryptography

encryption

These two actions seem to do the same:

  • using the Basic Constraints extension in a X.509 Certificate to signify that it is a CA certificate and
  • using the Key Usage extension e.g. to signify that the public key can be used for certificate signining.

What is the difference between these extensions?
Do they serve same purpose or complement each other?

like image 701
Cratylus Avatar asked Apr 26 '11 19:04

Cratylus

People also ask

What is x509 certificate extension?

Certificate extensions were introduced in version 3 of the X. 509 standard for certificates. These v3 extensions allow certificates to be customized to applications by supporting the addition of arbitrary fields in the certificate.

What is basic constraint certificate?

Basic Constraints limit the path length for a certificate chain. This type of constraint limits the number of CAs that exist below the CA (depth) where the constraint is defined.

What is x509 certificate authentication?

An X. 509 certificate is a digital certificate that uses the widely accepted international X. 509 public key infrastructure (PKI) standard to verify that a public key belongs to the user, computer or service identity contained within the certificate.

What key elements are included in a x 509 certificate?

Key Pairs and Signatures No matter its intended application(s), each X. 509 certificate includes a public key, digital signature, and information about both the identity associated with the certificate and its issuing certificate authority (CA): The public key is part of a key pair that also includes a private key.

2 Answers

"Key Usage" defines what can be done with the key contained in the certificate. Examples of usage are: ciphering, signature, signing certificates, signing CRLs.

"Basic Constraints" identifies if the subject of certificates is a CA who is allowed to issue child certificates.

For a certificate that can be used to sign certificates, the info is in some sense duplicated:

  • X509v3 Basic Constraints: CA: TRUE --- Can sign certificates
  • X509v3 Key Usage: Key Cert Sign --- Can sign certificates

But "Basic Constraints" will also specify the maximum depth of valid certification chain.

Though it is duplicated, you need to specify both, according to RFC 3280 --- X.509. This is the relevant paragraph from the RFC (page 29):

The keyCertSign bit is asserted when the subject public key is used for verifying a signature on public key certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (section 4.2.1.10) MUST also be asserted.

like image 93
Babu Srinivasan Avatar answered Oct 19 '22 02:10

Babu Srinivasan

Key Usage describes intended purposes of the certificate.

Basic Constraints extension describes how deep the certificate chain that has the certificate as it's top can be. In other words, this extension is used by CAs to restrict activity of their sub-CAs when the sub-CA certificate is issued. If toplevel CA gets a sub-CA , it allows sub-CA to issue end-user certificates, but doesn't allow sub-CA have it's own sub-CAs.

like image 32
Eugene Mayevski 'Callback Avatar answered Oct 19 '22 02:10

Eugene Mayevski 'Callback
Sign in to Comment

Related questions

Security (aka Permissions) and Lucene - How ? Should it be done?
How can I mitigate injection/exfiltration attacks from dynamic property accesses (i.e. square bracket notation) in JavaScript?
Best practices (best for Android): authenticate a user with Facebook or Google login
Tomcat takes too much time to start - Java SecureRandom
How to avoid open-redirect vulnerability and safely redirect on successful login (HINT: ASP.NET MVC 2 default code is vulnerable)
How does Google Analytics prevent traffic spoofing
Preventing LDAP injection
What are the ways to secure Azure functions
.NET: Strong naming vs. Authenticode
How did harmless crawler bypass WebForms authentication, and hijack a user's session?
Content Security Policy for extensions and bookmarklets
How to disable the SSLv3 protocol in Jetty to prevent Poodle Attack
What are the risks associated with using inline styles?
How to secure a Rails app against Firesheep?
High level Java security framework
How to access a security critical field from an anonymous delegate or lambda?
Where does Internet Explorer store saved passwords? [closed]
How can we trust npm modules?
How to best validate JSON on the server-side
Bad Code: Why is this dangerous? [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!