[gnutls-help] Server and client OID

Gregory Sloop gregs at sloop.net
Fri May 24 02:11:05 CEST 2019

NM> On Thu, May 23, 2019 at 1:17 AM Gregory Sloop <gregs at sloop.net> wrote:

>> I am using certtool to create some certificates and keys.
>> These certs and keys will be used on Windows systems - and I've run into some confusion.

>> As far as I can tell, MS [and Cisco and others] expect the OID to be a "server" certificate.

>> However, from the GNUTLS docs for certtool, I see this:

>> # Whether this certificate will be used for a TLS client;
>> # this sets the id-kp-serverAuth ( of
>> # extended key usage.
>> tls_www_client

>> # Whether this certificate will be used for a TLS server;
>> # This sets the id-kp-clientAuth ( of
>> # extended key usage.
>> tls_www_server

NM> Hi,
NM>  Thank you for bringing this up. It seems that the comments in the
NM> configuration file are incorrect. Checking the OIDs set by these two
NM> options, they are reversed and match what you mention above.

NM> regards,
NM> Nikos

Thanks, I was pretty sure, as I did review some certs I created with another tool and it was as I expected - but I wanted to do it a second time, being super careful to be sure I was right. It's great to get your confirmation! Now I don't need to do that.

Thanks for fixing it in the comments/docs for a future version!
It looks like it's in the docs too:

..and thanks for a great tool! [I should say that part first!!! Seriously, I really do appreciate your work!]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20190523/e2b11bde/attachment-0001.html>

More information about the Gnutls-help mailing list