key usage question

From: Trebor (
Date: 03/08/05

Date: Tue, 8 Mar 2005 18:59:10 +0100

Hi all,

I have two certificates in my personal store.
According to their "Key usage" property, the first one is for "Digital
signature", and the second one is for "Key Encipherment".

By using CAPICOM, I noticed that I'm able to sign files without problem, by
using the second certificate
(which is not intended for digital signing according to its KeyUsage
property) ?!?!

I'm also able to verify these signatures without any problems.

1. Is this normal ?
 Do I need to check the certificate purpose before signing
 (by using Certificate.KeyUsage.IsDigitalSignatureEnabled property) ?

2. What about the files / content that I'm receiving , which are signed by
other parties ?
 Do I need to check the Certificate's IsDigitalSignatureEnabled property
after verification?
 Can I consider these signatures as reliable, if the certificate has ONLY
"Key Encipherment"
  keyword in their "Key usage property"?


Relevant Pages

  • 2K3 Cert Svcs gives invalid policy error on OpenSSL gend cert req
    ... OpenSSL-based UNIX SSL client and server and a Windows Server 2003 ... Standard Edition with Certificate Services for the CA. ... The OpenSSL generated ones look like, ... X509v3 Extended Key Usage: ...
  • Hacking PGP WoT onto X.509 systems
    ... Certificate Authorities providing the be-all end-all ... PGP users certify other users' keys by signing the corresponding uids, ... belongs to the owner specified in the certificate. ... Direct signatures: PGP signatures on the X.509 ...
  • Re: 2K3 Cert Svcs gives invalid policy error on OpenSSL gend cert req
    ... Could you please post a test PKCS#10 base 64 encoded request that is failing? ... Standard Edition with Certificate Services for the CA. ... X509v3 Extended Key Usage: ... all regular key usage flags and just have the extended flags, ...
  • Re: Signature specification without certificates
    ... certificate, as per the following ASN.1 defined in RFC 3280: ... For x9.59 financial transaction protocol I had to do ASN.1 ... specifications for digital signatures independent of certificates. ... A digital certificate oriented payment transaction was then appending ...
  • Re: PKI - CA setup key usage problem
    ... Use It explains how the Key Usage options are built ... For the AKI, I would recommend leaving the default of the thumbprint of the issuing CA certificate rather than the serial number and issuer combination, as it causes it is better for building certificate chains in environments where certificate renewals have taken place IMHO. ... Signature, Certificate Signing, Off-line CRL Signing, CRL Signing ". ... certutil -setreg policy\EditFlags +EDITF_ENABLEAKIISSUERSERIAL ...