How to determine the Application Policy / Enhanced Key Usage of a Self Signed Certificate?
I can look at the Enhanced Key Usage extension of an Enterprise signed certificate and see what it is tailored for, ie Server Authentication, Encrypting File System, or Secure Email. How can I tell what a Self Signed certificate is for? we have developers developing with Self Signed certificates for mutual authentication between applications on the same box, but when we go production we want to replace all those with Enterprise certificates from our own CA, I and need to know what template to base these certificates on
March 26th, 2010 1:18am

Export the self signed certificate to <cert.cer> Call "certutil -dump <cert.cer>" Look for the similar lines in the output: Certificate Extensions: 1 2.5.29.37: Flags = 0, Length = 6 Enhanced Key Usage Unknown Key Usage (1.2.3)
Free Windows Admin Tool Kit Click here and download it now
March 26th, 2010 1:53am

Export the self signed certificate to <cert.cer> Call "certutil -dump <cert.cer>" Look for the similar lines in the output: Certificate Extensions: 1 2.5.29.37: Flags = 0, Length = 6 Enhanced Key Usage Unknown Key Usage (1.2.3) That just shows me the same thing as the GUI when I double click on the certificate except that it's on a hard to read black screen instead of a purddy thing with tabs, lol
March 26th, 2010 2:15am

I would suggest a two-pronged attack: Ask the developers what they are doing with the cert - are they using the cert for authenticating the server end, authenticating the client end, or providing some mechanism for starting an encrypted session? Take an educated guess based on answers from #1 (feel free to post back if needed). If you need to do a complete guess, I would suggest a Web Server certificate (which has a very high probability of working), and if that fails then a Workstation certificate, and lastly an IPSec certificate. Have them install your CA root certificate to a test machine, install the CRL if necessary (if not on the main network), and create a certificate signing request (CSR) file that you can process against your CA (you might want to configure a test CA for this purpose, if you don't already have one, if absolutely necessary you could create a template with the name 'Test' in it from your main CA and only have it valid for a very short period of time, like a day or a week but this is recommended against).
Free Windows Admin Tool Kit Click here and download it now
March 26th, 2010 9:49pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics