[gnutls-help] Server and client OID
Gregory Sloop
gregs at sloop.net
Fri May 24 02:11:05 CEST 2019
NM> On Thu, May 23, 2019 at 1:17 AM Gregory Sloop <gregs at sloop.net> wrote:
>> I am using certtool to create some certificates and keys.
>> These certs and keys will be used on Windows systems - and I've run into some confusion.
>> As far as I can tell, MS [and Cisco and others] expect the OID 1.3.6.1.5.5.7.3.1 to be a "server" certificate.
>> However, from the GNUTLS docs for certtool, I see this:
>> # Whether this certificate will be used for a TLS client;
>> # this sets the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) of
>> # extended key usage.
>> tls_www_client
>> # Whether this certificate will be used for a TLS server;
>> # This sets the id-kp-clientAuth (1.3.6.1.5.5.7.3.2) of
>> # extended key usage.
>> tls_www_server
NM> Hi,
NM> Thank you for bringing this up. It seems that the comments in the
NM> configuration file are incorrect. Checking the OIDs set by these two
NM> options, they are reversed and match what you mention above.
NM> regards,
NM> Nikos
Thanks, I was pretty sure, as I did review some certs I created with another tool and it was as I expected - but I wanted to do it a second time, being super careful to be sure I was right. It's great to get your confirmation! Now I don't need to do that.
Thanks for fixing it in the comments/docs for a future version!
It looks like it's in the docs too:
https://www.gnutls.org/manual/gnutls.html
..and thanks for a great tool! [I should say that part first!!! Seriously, I really do appreciate your work!]
-Greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20190523/e2b11bde/attachment-0001.html>
More information about the Gnutls-help
mailing list