[gnutls-help] Server and client OID
gregs at sloop.net
Thu May 23 00:57:27 CEST 2019
I am using certtool to create some certificates and keys.
These certs and keys will be used on Windows systems - and I've run into some confusion.
As far as I can tell, MS [and Cisco and others] expect the OID 126.96.36.199.188.8.131.52.1 to be a "server" certificate.
However, from the GNUTLS docs for certtool, I see this:
# Whether this certificate will be used for a TLS client;
# this sets the id-kp-serverAuth (184.108.40.206.220.127.116.11.1) of
# extended key usage.
# Whether this certificate will be used for a TLS server;
# This sets the id-kp-clientAuth (18.104.22.168.22.214.171.124.2) of
# extended key usage.
Since I've seen 126.96.36.199.188.8.131.52.1 defined as a *server* EKU everywhere I've found from google searches, I pretty sure this is the correct *server* OID.
So, I guess the core question is:
Which OID is set for which keyword?
If I use "tls_www_client" in my template, is 184.108.40.206.220.127.116.11.1 going to be set, or is it _really_ 18.104.22.168.22.214.171.124.2?
And clearly related; If I use "tls_www_server" in my template, is 126.96.36.199.188.8.131.52.2 going to be set, or is it _really_ 184.108.40.206.220.127.116.11.1?
I *assume* what really happens is:
tls_www_server = 18.104.22.168.22.214.171.124.1
tls_www_client = 126.96.36.199.188.8.131.52.2
[Which is the reverse of the documentation for certtool; see: https://gnutls.org/manual/html_node/certtool-Invocation.html ]
But I want to verify that the comments in the docs are backwards before I assume that
If it matters, and perhaps it does - in this particular case, I'm generating ca/certs/keys for a Wifi EAP-TLS setup. I assume that the FreeRadius server needs a cert with OID 184.108.40.206.220.127.116.11.1, and the client certs need 18.104.22.168.22.214.171.124.2 [and should *NOT* contain 126.96.36.199.188.8.131.52.1. That way, a client cert couldn't be used to spoof/impersonate the server on a rogue Radius server. Yes, I understand that would take some doing, and isn't likely - but no sense in having any additional exposure.]
This is why having the correct OID's and only the correct OID's is important - and thus the above query.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-help