CertificateRequest and Enhanced Key Usage Extension

+1 vote
asked Nov 5, 2014 by Adam Edwards (130 points)
edited Dec 18, 2014

I came across this post as I was researching CSR creation. For a server based certificate I believe Enhanced Key Usage Extension is needed:

            // Enhanced Key Usage Extension
            objObjectId.InitializeFromValue ( "1.3.6.1.5.5.7.3.2" ); // OID for Client Authentication usage
            objObjectIds.Add ( objObjectId );
            objX509ExtensionEnhancedKeyUsage.InitializeEncode ( objObjectIds );
            objPkcs10.X509Extensions.Add ( ( CX509Extension ) objX509ExtensionEnhancedKeyUsage );

Taken from this post: http://blogs.msdn.com/b/alejacma/archive/2008/09/05/how-to-create-a-certificate-request-with-certenroll-and-net-c.aspx

This post suggests the same: http://stackoverflow.com/questions/17477279/client-authentication-1-3-6-1-5-5-7-3-2-oid-in-server-certificates

I couldn't find the enhanced extension in the docs. Can you advise if this is possible with the Rebex assembly?

1 Answer

0 votes
answered Nov 5, 2014 by Lukas Pokorny (95,290 points)
edited Dec 18, 2014

Update: The CertificateExtension.EnhancedKeyUsage method has been added in Rebex Security 2014 R3, which means the code below is no longer needed.

This looks like an omission on our part. We wanted to add a CertificateExtension.EnhancedKeyUsage method (similar to CertificateExtension.KeyUsage), but never actually implemented it, even though we support extended/enhanced key usage extension in other parts of our library.

Fortunately, a workaround for this is not too complicated:

    // construct a sequence of a single extended key usage item
    // (see http://www.alvestrand.no/objectid/2.5.29.37.html for details)
    var oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.2"); //Client Authentication
    byte[] rawOid = oid.ToArray(true);
    byte[] rawOidList = new byte[rawOid.Length + 2];
    rawOidList[0] = 0x30; // sequence
    rawOidList[1] = (byte)rawOid.Length; // length (OID length should fit into one byte)
    rawOid.CopyTo(rawOidList, 2);

    // add a non-critical "extended key usage" extension with the raw OID list
    csr.CertificateExtensions.Add(new CertificateExtension("2.5.29.37", false, rawOidList));

If you would like to try a beta of our library when we add CertificateExtension.EnhancedKeyUsage method, please let me know. Thanks for bringing this to our attention!

...