[gnutls-help] certtool - key encipherment (X.509v3 extension)

Tobias --- tobbe.se at gmail.com
Tue Dec 15 18:48:11 CET 2015

Ooops, I see. I'm new to the elliptical curve things. Now I feel dumb.

I let the CA use ECDSA secp521r1 and I let clients and servers use RSA,
3072 bits (It appears to be the default). It all works now!

It would be nice if certtool would return errors or warnings when
extensions and keys aren't compatible, instead of just omitting the
incompatible extensions.

Thanks for the quick reply!

2015-12-15 17:46 GMT+01:00 Nikos Mavrogiannopoulos <nmav at gnutls.org>:

> On Tue, Dec 15, 2015 at 5:36 PM, Tobias --- <tobbe.se at gmail.com> wrote:
> > I did write honor_crq_extensions. I just got confused when I read
> "honour"
> > somewhere else regarding this subject.
> > I've made additional attempts. The CSR doesn't contain the key
> encipherment
> > extension either. It only contains the other two extensions. I even copy
> > that extension straight out of the certtool manpage and it still won't
> > accept the extension. I wrote a separate template that contained
> > honor_crq_exntesions and encryption_key but it didn't produce the desired
> > result.
> > Does it matter that I use ECDSA?
> Yes, you cannot encrypt with ECDSA keys. They are signing keys.
> regards,
> Nikos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20151215/e1792203/attachment.html>

More information about the Gnutls-help mailing list