Articles in Root

Extended Key Usage and Key Usage Extensions


What are Key Usage Extensions?

The Key Usage Extensions (KUEs) are characteristics placed into a certificate that define the actions available for that certificate.  KUEs values are defined in terms of “operation”.  The different possibilities for the KUE are fixed and usually include a hexadecimal character that defines the combination of extensions used.

What is the Extended Key Usage extension?

The Extended Key Usage extension or sometimes called the Enhanced Key Usage extensions (EKUs) are similar to the Key Usage Extensions (KUE), except that EKU values are defined in terms of “purpose” and be easily expanded upon.  EKUs are defined with Object Identifiers or OIDs.  If the EKU extension is omitted in a certificate, then all operations are potentially valid.

What’s the difference between KUE and EKU?

Extended Key Usage extensions (EKUs) are newer and are generally used to restrict usage while the Key Usage Extensions (KUEs) are considered less flexible.  KUEs is defined in terms of “operations whereas EKUs are defined in terms of “operations”.  Generally EKUs are checked offensively (ie. This certificate must contain this EKU OID) whereas KUEs are generally checked defensively (ie. This certificate must contain this but may contain this or that).

What does “This extension is critical” mean?

A “Critical Extension” or “Criticality Indicator” is a flag that instructs software that uses the certificate where it is safe to ignore the Extended Key Usage Extension if it does not recognize it.  A certificate will be rejected if the software does not recognize a “Critical Extenstion”.  If an application also expects a field to be marked critical and it is not, it shall also reject the certificate.