SSL Cert Types and Key Usage

Question

I want to use OpenSSL to create a CSR and submit it to my CA (which uses Microsoft PKI) and receive certificates that can be used for both Server Auth and Client Auth. I'm not clear on a couple of things, which may simply be a a link between keyUsage and nsCertType.

1. Is it enough for me to include in the CSR keyUsage=digitalSignature,keyEncipherment and extendedKeyUsage=serverAuth,clientAuth ?
2. Can the signing CA choose to ignore these requested attributes and grant me only Server Auth usage?
3. Is nsCertType used for requests (eg, CSRs) or only when OpenSSL is used to sign certs?

Regards, Mike

Answer 1

nsCertType is an old Netscape-specific extension, which was used by the Netscape browser at a time when that browser was still alive. You can forget it nowadays.

The signing CA, by principle, acts in any way as it sees fit. It can put whatever it wishes in your certificate. Your certificate request is just a suggestion. You can more or less count on the CA to take the public key from your request and use that public key in the certificate; for everything less (including name, key usages and other extensions) this is completely up to the CA to decide. Microsoft's Certificate Services uses "certificate templates" for its configuration, and the templates decide what goes in the certificates. According to my own tests, the key usage and extended key usages which you put in the certificate will be completely ignored.

What extensions are needed for client authentication, and/or for server authentication, depends on the involved software. You will find some information in my past prose, e.g. this, this and that.