[gnutls-help] Server and client OID

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu May 23 21:35:03 CEST 2019

On Thu, May 23, 2019 at 1:17 AM Gregory Sloop <gregs at sloop.net> wrote:
> I am using certtool to create some certificates and keys.
> These certs and keys will be used on Windows systems - and I've run into some confusion.
> As far as I can tell, MS [and Cisco and others] expect the OID to be a "server" certificate.
> However, from the GNUTLS docs for certtool, I see this:
> # Whether this certificate will be used for a TLS client;
> # this sets the id-kp-serverAuth ( of
> # extended key usage.
> tls_www_client
> # Whether this certificate will be used for a TLS server;
> # This sets the id-kp-clientAuth ( of
> # extended key usage.
> tls_www_server

 Thank you for bringing this up. It seems that the comments in the
configuration file are incorrect. Checking the OIDs set by these two
options, they are reversed and match what you mention above.


More information about the Gnutls-help mailing list