Understanding Certificate Extensions and Key Usage
X.509 certificates contain more than just a public key and identity information. Certificate extensions provide additional metadata that defines how certificates can and should be used. Understanding these extensions is crucial for proper certificate deployment and security.
What Are Certificate Extensions?
Certificate extensions are optional fields in X.509 certificates that provide additional information about the certificate’s purpose, constraints, and capabilities. They were introduced in X.509v3 to extend the basic certificate format.
Extensions can be:
- Critical: Must be understood and processed by the client; if not recognized, the certificate is rejected
- Non-critical: Can be safely ignored if not understood
Standard Certificate Extensions
1. Key Usage
The Key Usage extension defines the cryptographic operations the certificate’s public key can perform.
Common Key Usage Values:
- digitalSignature: Used for verifying digital signatures (not certificate signatures)
- nonRepudiation (contentCommitment): Provides non-repudiation services
- keyEncipherment: Used for encrypting symmetric keys (RSA key transport)
- dataEncipherment: Used for encrypting data directly
- keyAgreement: Used for key agreement protocols (e.g., Diffie-Hellman)
- keyCertSign: Used for signing certificates (CA certificates only)
- cRLSign: Used for signing Certificate Revocation Lists
- encipherOnly: Used only for encryption (with keyAgreement)
- decipherOnly: Used only for decryption (with keyAgreement)
Example SSL/TLS Server Certificate:
Key Usage: critical
Digital Signature, Key Encipherment
Example CA Certificate:
Key Usage: critical
Certificate Sign, CRL Sign
Why It Matters:
- Prevents key misuse (e.g., using a signing key for encryption)
- Enforces principle of least privilege
- Critical for security in PKI hierarchies
2. Extended Key Usage (EKU)
Extended Key Usage further refines the purposes for which the certificate can be used, beyond cryptographic operations.
Common EKU Values:
- serverAuth (1.3.6.1.5.5.7.3.1): TLS/SSL server authentication
- clientAuth (1.3.6.1.5.5.7.3.2): TLS/SSL client authentication
- codeSigning (1.3.6.1.5.5.7.3.3): Code signing
- emailProtection (1.3.6.1.5.5.7.3.4): S/MIME email protection
- timeStamping (1.3.6.1.5.5.7.3.8): Trusted timestamping
- OCSPSigning (1.3.6.1.5.5.7.3.9): OCSP response signing
Example Web Server Certificate:
Extended Key Usage:
TLS Web Server Authentication
Example Code Signing Certificate:
Extended Key Usage:
Code Signing
Why It Matters:
- Prevents certificate from being used for unintended purposes
- Web browsers check serverAuth for HTTPS
- Operating systems check codeSigning for software installation
3. Subject Alternative Name (SAN)
SAN allows one certificate to secure multiple hostnames, IP addresses, or other identifiers.
SAN Types:
- DNS Name: Domain names (e.g., example.com, www.example.com)
- IP Address: IPv4 or IPv6 addresses
- Email Address: Email addresses for S/MIME
- URI: Uniform Resource Identifiers
- Directory Name: X.500 distinguished names
- Other Name: Other identifier types (e.g., UPN for Windows)
Example Multi-Domain Certificate:
Subject Alternative Name:
DNS:example.com
DNS:www.example.com
DNS:mail.example.com
DNS:ftp.example.com
Example Wildcard Certificate:
Subject Alternative Name:
DNS:*.example.com
DNS:example.com
Why It Matters:
- One certificate can secure multiple domains
- Required for hosting multiple sites on same IP
- Browsers match the requested hostname against SANs
- Modern browsers ignore the Subject CN, checking only SAN
4. Basic Constraints
Defines whether the certificate is a CA certificate and the maximum depth of the certification path.
Fields:
- CA: Boolean indicating if certificate is a CA
- pathLenConstraint: Maximum number of intermediate CAs that can follow
Example CA Certificate:
Basic Constraints: critical
CA:TRUE
pathLenConstraint:0
Example End-Entity Certificate:
Basic Constraints: critical
CA:FALSE
Why It Matters:
- Prevents end-entity certificates from issuing other certificates
- Limits CA hierarchy depth
- Critical for PKI security model
- Must be marked critical
5. Authority Key Identifier
Identifies the public key of the CA that signed the certificate.
Format:
Authority Key Identifier:
keyid:E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0
Why It Matters:
- Links certificate to its issuer
- Enables path building in certificate chains
- Helps certificate validation software find CA certificates
6. Subject Key Identifier
Identifies the public key contained in the certificate.
Format:
Subject Key Identifier:
60:B1:87:D0:60:33:8A:EE:F3:9E:4B:F9:32:CA:E6:69:97:1C:4E:7F
Why It Matters:
- Uniquely identifies the certificate’s public key
- Used when the certificate acts as a CA
- Referenced by Authority Key Identifier in issued certificates
7. Certificate Policies
Declares the policy under which the certificate was issued.
Format:
Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 2.23.140.1.2.2
CPS: https://www.example.com/cps
Common Policies:
- Domain Validated (DV): 2.23.140.1.2.1
- Organization Validated (OV): 2.23.140.1.2.2
- Extended Validation (EV): 2.23.140.1.1
Why It Matters:
- Indicates validation level
- Browsers use policies to show EV indicators
- Helps relying parties assess trust level
8. CRL Distribution Points
Specifies where to obtain Certificate Revocation Lists.
Format:
CRL Distribution Points:
Full Name:
URI:http://crl.example.com/ca.crl
Full Name:
URI:http://crl2.example.com/ca.crl
Why It Matters:
- Enables certificate revocation checking
- Should include multiple URLs for redundancy
- Critical for PKI security
9. Authority Information Access (AIA)
Provides URLs for CA certificate and OCSP responder.
Format:
Authority Information Access:
OCSP - URI:http://ocsp.example.com
CA Issuers - URI:http://ca.example.com/ca.crt
Components:
- OCSP: Online Certificate Status Protocol responder URL
- CA Issuers: URL to download issuing CA certificate
Why It Matters:
- Enables OCSP revocation checking (faster than CRL)
- Allows automatic CA certificate retrieval
- Essential for complete chain validation
10. Subject Directory Attributes
Contains additional identity information about the subject.
Common Attributes:
- Date of birth
- Place of birth
- Gender
- Country of citizenship
- Country of residence
Format:
Subject Directory Attributes:
dateOfBirth=19900115120000Z
placeOfBirth=New York, US
Why It Matters:
- Provides additional identity information
- Used in qualified certificates (eIDAS in EU)
- Important for legal/compliance purposes
Viewing Certificate Extensions
Using OpenSSL
# View certificate extensions
openssl x509 -in certificate.crt -noout -text
# Show specific extension
openssl x509 -in certificate.crt -noout -ext subjectAltName
# View extensions from remote server
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -text
Using Browser
- Click padlock icon in address bar
- Click “Certificate” or “View Certificate”
- Navigate to “Details” or “Extensions” tab
- Review individual extensions
Using Command Line Tools
# Using certutil (NSS)
certutil -L -d sql:$HOME/.pki/nssdb -n "Certificate Nickname"
# Using keytool (Java)
keytool -list -v -keystore keystore.jks -alias mykey
Common Extension Combinations
Web Server Certificate (TLS/SSL)
Key Usage: critical
Digital Signature, Key Encipherment
Extended Key Usage:
TLS Web Server Authentication
Subject Alternative Name:
DNS:example.com
DNS:www.example.com
Basic Constraints: critical
CA:FALSE
Authority Information Access:
OCSP - URI:http://ocsp.ca.com
CA Issuers - URI:http://ca.ca.com/ca.crt
CRL Distribution Points:
URI:http://crl.ca.com/ca.crl
Code Signing Certificate
Key Usage: critical
Digital Signature
Extended Key Usage:
Code Signing
Basic Constraints: critical
CA:FALSE
Email Certificate (S/MIME)
Key Usage: critical
Digital Signature, Key Encipherment
Extended Key Usage:
E-mail Protection
Subject Alternative Name:
email:[email protected]
Basic Constraints: critical
CA:FALSE
CA Certificate (Intermediate)
Key Usage: critical
Certificate Sign, CRL Sign
Basic Constraints: critical
CA:TRUE
pathLenConstraint:0
Subject Key Identifier:
E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0
Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Extension Violations and Security
Common Mistakes
Missing Critical Extensions
- Basic Constraints not marked critical
- Key Usage not specified for CA certificates
Conflicting Extensions
- CA:TRUE with serverAuth EKU
- Key Usage conflicts with intended purpose
Incomplete Information
- Missing SAN extension
- No CRL or OCSP information
Excessive Permissions
- Too many Key Usage values
- Overly broad EKU values
Security Implications
Weak Constraints:
- End-entity certificates with CA:TRUE can issue fake certificates
- Missing Key Usage allows key misuse
Missing Revocation Information:
- No way to check if certificate has been revoked
- Security risk if private key is compromised
Improper SAN Configuration:
- Wildcard certificates securing too many domains
- Missing domains cause browser warnings
Best Practices
For Certificate Authorities
Always Set Basic Constraints
- Mark as critical
- Specify CA status clearly
- Set pathLenConstraint appropriately
Include Revocation Information
- Add both CRL and OCSP URLs
- Use redundant URLs for availability
- Keep responders operational
Set Appropriate Key Usage
- Be restrictive (principle of least privilege)
- Mark as critical
- Match certificate purpose
Provide Complete Chains
- Include AIA extension with CA Issuers URL
- Make intermediate certificates easily accessible
For Certificate Requesters
Specify Required SANs
- Include all hostnames that need coverage
- Don’t forget www and non-www variants
- Consider future subdomain needs
Request Appropriate EKU
- Match your use case
- Don’t request unnecessary permissions
Understand Usage Restrictions
- Check Key Usage and EKU
- Ensure certificate matches intended use
- Don’t violate extension constraints
For Certificate Validators
Check All Extensions
- Verify Basic Constraints
- Validate Key Usage for operation
- Check EKU for purpose
Enforce Critical Extensions
- Reject certificates with unknown critical extensions
- Respect extension constraints
Verify Revocation Status
- Check CRL or OCSP
- Don’t ignore revocation information
- Handle soft-fail appropriately
Troubleshooting Extension Issues
Problem: “Certificate purposes do not match”
Cause: Key Usage or EKU doesn’t allow the operation
Solution: Obtain certificate with correct extensions:
# Check current extensions
openssl x509 -in cert.crt -noout -ext keyUsage -ext extendedKeyUsage
Problem: “Incomplete certificate chain”
Cause: Missing AIA extension or CA certificates unavailable
Solution: Include complete chain or fix AIA URLs
Problem: “Hostname mismatch”
Cause: SAN doesn’t include accessed hostname
Solution: Add hostname to SAN or obtain new certificate:
# View current SANs
openssl x509 -in cert.crt -noout -ext subjectAltName
Future of Certificate Extensions
Emerging Extensions
- Certificate Transparency: SCT (Signed Certificate Timestamp) extension
- CAA: Certification Authority Authorization checking
- DANE: DNS-based Authentication of Named Entities
- Delegated Credentials: Short-lived credentials for TLS
Deprecated Features
- Netscape Extensions: Being phased out
- Subject CN: Deprecated in favor of SAN
- MD5/SHA-1: Weak hash algorithms being removed
Conclusion
Certificate extensions are crucial for proper certificate functionality and security. Key takeaways:
- Basic Constraints defines CA vs end-entity
- Key Usage and EKU control certificate purposes
- SAN enables multi-domain certificates
- Revocation information (CRL/OCSP) is essential
- Critical extensions must be understood by validators
Understanding extensions helps you:
- Request certificates with appropriate properties
- Troubleshoot certificate issues
- Implement proper validation
- Maintain PKI security
When managing certificates with tools like CrtMgr, pay attention to these extensions to ensure your certificates are properly configured and suitable for their intended purpose.