Under the signature, I selected the digital signature and under encryption, allowing the exchange of keys only with key encryption. (I tried all combinations) Key usage extensions define the purpose of the public key contained in a certificate. You can use it to limit the public key to as few or as many operations as necessary. For example, if you have a key that is only used to sign or verify a signature, enable the digital signature and/or ineligibility extensions. If a key is only used for key management, alternately enable the key monkey. In summary: digitalSignature for suites (EC) DHE Code, keyEncipherment for simple RSA encryption suites. However, some implementations also accept keyAgreement instead of keyEncipherment or non-repudiation, even if the digital nignature is not defined. and some will simply ignore the Key Usage extension altogether (even if it is marked as critical). For maximum interoperability, specify the four flags of the key usage extension.
Is used when the requester`s public key is to verify a signature for lock information, for example. B a certificate blacklist. Is used when the sender and receiver of the public key need to deduce the key without encryption. This key can then be used to encrypt messages between the sender and receiver. Key setting is typically used in Diffie-Hellman codes. Used when the public key is used with a digital signature mechanism to support security services other than unspeakable, certificate signing, or CRL signing. A digital signature is often used for entity authentication and data origin authentication with integrity. Extending key usage defines the purpose (for example.B encryption, signing, certificate signing) of the key contained in the certificate. The usage restriction can be applied if you want to restrict a key that can be used for more than one operation. For example, if an RSA key is only to be used to verify the signatures of objects other than certificates with public key and CRLs, the bits are confirmed digitalSignature and/or nonRepudiation.
Wenn ein RSA-Schlüssel nur für die Schlüsselverwaltung verwendet werden soll, wird das keyEncipherment-Bit ebenfalls bestätigt. Improved key usage IP Security System (188.8.131.52.184.108.40.206.5) Server Authentication (220.127.116.11.18.104.22.168.1) Client Authentication (22.214.171.124.126.96.36.199.2) 188.8.131.52.4.1.311.21.10: Flags = 0, Length = 26 Application Policies Application Certificate Policy: Policy Identifier = IP End of Security System Application Certificate Policy: Policy Identifier = Server Authentication Application Certificate Policy: Ide Policy changer = Client authentication 184.108.40.206: Flags = 1 (Critical), Length = 4 Digital key usage Signature, key encryption, key agreement (a8) To use when the public key is used to verify the digital signatures used to provide a repudiation service. Unleugbarkeit schützt davor, dass die signierende Entität fälschlicherweise eine Aktion verweigert (mit Ausnahme der Zertifikat- oder CRL-Signatur). If a certificate is used with a protocol, use the encrypted key. For example, S/MIME coating, which consists of encrypting a fast (symmetric) key with the public key of the certificate. SSL also performs key encryption. I only use RSA keys, so the RSA (generate, encrypt, and send a key) and [EC] exchange methods are DHE_RSA (generate an ephemeral DH key [EC], sign it, and use it for the key agreement). The real operation in RSA is “Key Encipherment”,” and in [EC]DHE_RSA it`s the digital signature, but both are forms of key agreement. So which “Key Encipherment”, “Digital Signature” and “Key Agreement” are needed for each method in the key usage extension? I couldn`t find this indicated anywhere and it probably varies by implementation, so the answer could be one table per implementation. With these compatibility settings, you can select the agreement because encryption is selected by default and blocked for any changes….