Home / Articles

Extended Key Usage

2019-01-01T10:15:36Z.

The extended key usage specifies how a public key can be used. Occasionally it is necessary to configure the extended key usage when generating and deploying the certificate for use in certain applications, such as OpenVPN.

Edit OpenSSL configuration file

Note that you can make a copy of the OpenSSL configuration file and edit it. When using OpenSSL to manage the certificates, specify the path of the customized configuration file with the -config switch.

Under the [ req ] section, update the x509_extensions attribute to point to the [ usr_cert ] section.

From:


x509_extensions	= v3_ca	# The extentions to add to the self signed cert

To:


x509_extensions	= usr_cert

Make sure the req_extensions attribute is specified and point to the [ v3_req ] section.

From:


# req_extensions = v3_req # The extensions to add to a certificate request

To:


req_extensions = v3_req

Update the [ usr_cert ] section in the configuration file. 


[ usr_cert ]
basicConstraints = CA:FALSE
nsCertType = client, server, email
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

The extendedKeyUsage specifies the extended key usage.

Also update the [ v3_req ] section, make sure the extended key usage is being specified so that it is included in the public key to be signed by the certificate authority. 


[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection

Now generate the private key and certificate signing request, run:


openssl ecparam -name secp384r1 -genkey -noout -out server.key
chmod 600 server.key

# Update the path of the OpenSSL configuration file.
openssl req -config /path/to/openssl.cnf \
-new \
-sha256 \
-key server.key \
-out server.csr

Inspect the certificate signing request, run:


openssl req -text -in server.csr

Sample output:


Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=HK, ST=Hong Kong, L=Hong Kong, O=Example Company, CN=example.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:89:0f:d4:43:8b:c9:f0:d1:21:e4:2e:72:24:36:
                    17:17:db:e7:91:b4:13:29:a8:73:e4:f9:19:e1:8a:
                    d0:da:b4:eb:44:71:9b:05:df:87:13:ae:b3:2a:94:
                    59:d1:12:35:67:90:c6:b2:e5:d1:57:23:8c:c0:5f:
                    c5:0b:45:3b:ce:18:07:5e:5c:a5:1d:d5:30:d8:21:
                    97:9b:f3:1a:4d:b7:7e:b2:9d:e7:fb:22:5f:1a:48:
                    28:d7:a5:b5:bb:e6:8d
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection
    Signature Algorithm: ecdsa-with-SHA256
            30:66:02:31:00:94:28:d3:81:3d:bf:0a:19:66:5c:18:21:eb:
            26:85:93:c9:3b:e5:74:0d:53:4c:b2:6a:03:1b:e3:30:2d:1a:
            83:b7:ea:09:a2:2e:13:82:59:d3:83:14:4d:19:ae:87:11:02:
            31:00:a5:51:df:7c:08:15:d8:e8:c0:74:d1:1d:b0:d1:a8:fa:
            a7:85:9a:0c:1e:18:fc:5e:d3:9c:0c:b6:42:58:82:49:14:0e:
            fb:3c:2a:8f:00:4f:bb:ec:be:a4:26:66:d3:9b
-----BEGIN CERTIFICATE REQUEST-----
MIIBuzCCAUACAQAwZTELMAkGA1UEBhMCSEsxEjAQBgNVBAgMCUhvbmcgS29uZzES
MBAGA1UEBwwJSG9uZyBLb25nMRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxFDAS
BgNVBAMMC2V4YW1wbGUuY29tMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEiQ/UQ4vJ
8NEh5C5yJDYXF9vnkbQTKahz5PkZ4YrQ2rTrRHGbBd+HE66zKpRZ0RI1Z5DGsuXR
VyOMwF/FC0U7zhgHXlylHdUw2CGXm/MaTbd+sp3n+yJfGkgo16W1u+aNoFwwWgYJ
KoZIhvcNAQkOMU0wSzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAxBgNVHSUEKjAo
BggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBDAKBggqhkjO
PQQDAgNpADBmAjEAlCjTgT2/ChlmXBgh6yaFk8k75XQNU0yyagMb4zAtGoO36gmi
LhOCWdODFE0ZrocRAjEApVHffAgV2OjAdNEdsNGo+qeFmgweGPxe05wMtkJYgkkU
Dvs8Ko8AT7vsvqQmZtOb
-----END CERTIFICATE REQUEST-----

Once the certificate signing request is signed by the certificate authority, the public key should contain the specified extended key usage.

When signing the certificate signing request as a certificate authority, check the [ ca ] and [ CA_default ] sections, make sure the x509_extensions attribute points to a section (usually [ usr_cert ]) that contains the specified extended key usage. Otherwise, add a new section and specify the extended key usage to be included in the signed public key, then use the -extensions switch of OpenSSL to specify the new section.

References