scep icon indicating copy to clipboard operation
scep copied to clipboard

Published 20 hours ago verified publisher icon micromdm

Added KeyUsage `DigitalSignature` to CA certs.

Open bkstein opened this issue 2 years ago • 1 comments

DigitalSignature MUST be set in SCEP CA certificates according to RFC 8894:

2.1.2. Certificate Authority

A SCEP CA is the entity that signs client certificates. A CA may enforce policies and apply them to certificate requests, and it may reject a request for any reason.

Since the client is expected to perform signature verification and optionally encryption using the CA certificate, the keyUsage extension in the CA certificate MUST indicate that it is valid for digitalSignature and keyEncipherment (if the key is to be used for en/decryption) alongside the usual CA usages of keyCertSign and/or cRLSign.

This is also what I see in other SCEP CAs (e.g. LANCOM, EJBCA). It makes sense, as the PKCS7 replies are signed by the CA and the KeyCertSign KeyUsage is not meant for this (thats only for the included new certificate).

bkstein avatar May 12 '22 12:05 bkstein

Added the RFC paragraph mentioning the keyUsage for SCEP CA certificates.

bkstein avatar May 16 '22 07:05 bkstein

Updated to current main. Merging should be possible now. Thanks!

bkstein avatar Dec 01 '23 07:12 bkstein