Blog | G5 Cyber Security

X.509 Certificates: Checking Usage Restrictions

G5 Cyber Security

TL;DR

X.509 certificates aren’t *always* tied to a single operation, but they can be. This guide shows you how to check what a certificate is allowed to do using its ‘Key Usage’ and ‘Extended Key Usage’ fields. We’ll cover tools for viewing these details on Windows, macOS, and Linux.

Checking Certificate Restrictions

  1. Understand Key & Extended Key Usage: Certificates define what they can be used for – things like encrypting emails, signing code, or authenticating websites. These are specified in two main areas:
    • Key Usage: Basic operations like digital signature, key encryption, and data encryption.
    • Extended Key Usage (EKU): More specific uses, such as server authentication, client authentication, code signing, or time stamping.
  2. Windows – Using Certificate Manager:
    1. Open the Certificate Manager (search for ‘Manage computer certificates’).
    2. Navigate to the certificate you want to inspect. Usually found under ‘Personal’ or ‘Trusted Root Certification Authorities’.
    3. Double-click the certificate to open its properties.
    4. Go to the Details tab.
    5. Scroll down and find Key Usage and Enhanced Key Usage. The values listed show what the certificate is permitted for.
  3. macOS – Using Keychain Access:
    1. Open Keychain Access (found in /Applications/Utilities/).
    2. Select the certificate you want to examine.
    3. Click on the ‘Certificate’ tab.
    4. Expand the ‘Details’ section.
    5. Look for fields like Key Usage and Extended Key Usage. These will list the allowed purposes.
  4. Linux – Using OpenSSL:
    1. Open a terminal.
    2. Use the following command, replacing ‘certificate.pem’ with the actual filename of your certificate: 
      openssl x509 -text -noout -in certificate.pem
    3. Look for sections labelled Key Usage and Extended Key Usage in the output.
      • Key Usage will show a comma-separated list of codes (e.g., `Digital Signature, Key Encipherment`).
      • Extended Key Usage will also be a list of Object Identifiers (OIDs) representing specific uses. These are harder to read directly; you may need to look up the OID values online to understand them.
  5. Interpreting Key Usage Codes: Some common codes:
    • Digital Signature: Used for signing data or code.
    • Key Encipherment: Used to encrypt keys.
    • Data Encipherment: Used to encrypt data.
    • Key Agreement: Used in key exchange protocols.
  6. Interpreting Extended Key Usage (EKU) OIDs: EKUs are identified by Object Identifiers (OIDs). Here are a few examples:
    • 2.5.29.1 – Server Authentication (used for HTTPS websites).
    • 2.5.29.3 – Client Authentication.
    • 2.5.29.15 – Code Signing.
    • 2.5.29.35 – Time Stamp

By checking these fields, you can determine if a certificate is restricted to specific operations or has broader permissions.

Exit mobile version