none
Client Authentication Extended key usage field for SSL certificates RRS feed

  • Question

  • Hi,

    Is it a essential requirement to have SSL server certificates configured with the "Client Authentication (1.3.6.1.5.5.7.3.2)" extended key usage attribute?

    If I am configuring SSL client authentication, it is essential to have this "Client Authentication (1.3.6.1.5.5.7.3.2)" attribute in my client certificates. But does my ssl server certificates also need to have this extension ?

    Thank you. 

    Tuesday, November 6, 2012 3:13 AM

Answers

All replies

  • HI Har77

    no for the server side the it's the Server  Authentication OID need 1.3.6.1.5.5.7.3.1

    and in the SAN (SubjectAltName) your DNS and Url of your server

    hope this help you

    Stef71

    Tuesday, November 6, 2012 4:02 AM
  • Hi Stef71,

    If you check ssl server certificates on most of the service providers (eg mail.live.com, other email service providers, social network service providers) they all have Client Authentication (1.3.6.1.5.5.7.3.2) enabled. Is there any particular reason for this ?

    Thanks.

    Tuesday, November 6, 2012 6:12 AM
  • As laready said, you don't need to use Client Authentication EKU. This EKU is used only during mutual authentication process. Since SAN do no use (most likely) mutual certificate-based authentication, you need only Server Authentication EKU in the server's certificate.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    Tuesday, November 6, 2012 10:36 AM