Key Usage Extensions in X.509
Understand Key Usage and Extended Key Usage extensions in X.509 certificates. Learn which bits enable digital signatures, key encipherment, TLS server auth, and code signing.
Detailed Explanation
Key Usage and Extended Key Usage
X.509 certificates contain two complementary extensions that restrict how the certificate's public key can be used: Key Usage and Extended Key Usage (EKU). These extensions prevent a single certificate from being misused for unintended purposes.
Key Usage Extension
The Key Usage extension is a bit field with up to 9 possible values:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
| Bit | Purpose |
|---|---|
digitalSignature |
Verify digital signatures (TLS handshake, authentication) |
nonRepudiation |
Signature that the signer cannot later deny (rare) |
keyEncipherment |
Encrypt symmetric keys (RSA key exchange in TLS) |
dataEncipherment |
Directly encrypt data (uncommon) |
keyAgreement |
Key agreement protocols (DH, ECDH) |
keyCertSign |
Sign other certificates (CA certificates only) |
cRLSign |
Sign Certificate Revocation Lists (CA certificates only) |
encipherOnly |
Used with keyAgreement (encrypt only) |
decipherOnly |
Used with keyAgreement (decrypt only) |
Extended Key Usage (EKU)
EKU provides finer-grained purpose restrictions using OIDs (Object Identifiers):
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
| OID | Name | Purpose |
|---|---|---|
| 1.3.6.1.5.5.7.3.1 | serverAuth |
TLS server certificate |
| 1.3.6.1.5.5.7.3.2 | clientAuth |
TLS client certificate (mTLS) |
| 1.3.6.1.5.5.7.3.3 | codeSigning |
Digitally sign executables |
| 1.3.6.1.5.5.7.3.4 | emailProtection |
S/MIME email signing/encryption |
| 1.3.6.1.5.5.7.3.8 | timeStamping |
Trusted timestamping |
| 1.3.6.1.5.5.7.3.9 | OCSPSigning |
Sign OCSP responses |
Critical vs Non-Critical
When Key Usage is marked critical, the certificate MUST NOT be used for any purpose not listed. Clients that encounter a critical extension they do not understand must reject the certificate. Most CA-issued certificates mark Key Usage as critical.
Typical Key Usage for Different Certificate Types
TLS Server Certificate:
- Key Usage:
Digital Signature, Key Encipherment - EKU:
TLS Web Server Authentication
CA Certificate:
- Key Usage:
Certificate Sign, CRL Sign - EKU: usually absent (CAs are not restricted by EKU)
Code Signing Certificate:
- Key Usage:
Digital Signature - EKU:
Code Signing
Why Key Usage Matters
Without proper Key Usage restrictions, a TLS server certificate could theoretically be used to sign other certificates, creating a security vulnerability. The Key Usage and EKU extensions implement the principle of least privilege at the certificate level.
Use Case
Check Key Usage and Extended Key Usage when diagnosing TLS handshake failures — a mismatch between the required key usage and what the certificate allows is a common cause of connection errors.