Used when the public key is used with a digital signature mechanism to support security services other than non-contest, certificate signature or CRL signature. A digital signature is often used for entity authentication and original data authentication with integrity. The key can be used to set key agreements, for example. B a key that was created with the Diffie-Hellman key chord algorithm. Key usage extensions define the purpose of the public key contained in a certificate. You can use it to limit the public key to as few or as many operations as necessary. If you have z.B. a key used only to sign or verify a signature, check the extensions of the digital signature and/or indecision. If a key is only used to manage keys, enable key encryption.
Used when the public key is used to encrypt user data, with the exception of cryptographic keys. Digital signature, key encryption or key agreement data encryption means that the key is used in the certificate to encrypt application data. This is not used in TLS. But certificates are not only used for TLS (z.B also in S/MIME, VPN, document signature …) so that there may be cases of use where this is necessary. Only is used if the key agreement is also activated. Therefore, the public key can only be used to encrypt the data, while a key agreement is running. Key encryption means that the key is used in the certificate to encrypt another cryptographic key (which is not part of the application data). This is used within TLS in the exchange of RSA keys, where the secret premaster (from which the symmetrical encryption key is derived) is generated by the client, then encrypted with the public server key and sent to the server and deciphered with the private server key. The meaning of the encipherOnly bit is not defined in the absence of the keyAgreement bit. If the encipherOnly bit is confirmed and the keyAgreement bit is also set, the applicant`s public key can only be used to calyse the data while the key agreement is executed. The key usage extension defines the object (for example. B the encryption, the signature, the signature of the certificate) of the key contained in the certificate.
The use restriction can be used to limit a key that could be used for more than one process. If z.B. an RSA key should only be used to verify signatures for items other than certificates and crLs with public keys, the digitalSignature and/or non-Repududiation bits are confirmed. If an RSA key is only used for key management, the keyEncipherment bit is also confirmed. Is used when a certificate is used with a protocol that encrypts the key. An example is the S/MIME envelope, where a quick (symmetrical) key is encrypted with the public key of the certificate. The SSL protocol also encrypts keys. Is used when the sender and recipient of the public key must deduct the key without encryption.
This key can then be used to encrypt messages between the sender and the recipient. The key agreement is usually used with the Diffie-Hellman codes. Should we also indicate other extensions with specific values, z.B. nsCertType? What do key usage values mean and what should I use in the following situations? .