2

If you go to IE -> Internet Options -> Content -> Certificates -> Trusted Root Certification Authorities.

Now Click on some CA certificates and click on Advanced Advanced

Properties

You can add properties to the certificate. What exactly is this for?

Does this mean that if a certificate doesn't have 'Server Authentication' property, the client can still authorize it for that purpose if he chooses to do so?

Is this a security issue - i.e. can you you write an ActiveX control or Applet on which if a user clicks, it will turn on this property?

RoraΖ
  • 12,317
  • 4
  • 51
  • 83
user93353
  • 1,982
  • 3
  • 19
  • 33

2 Answers2

3

No. The dialog doesn't add these properties to certificates. It has nothing to do with the currently selected item – it merely adds them to the filter-by-property listbox at the top of the main window. (That's the one that says "Intended purpose: <all>".)

(The more specific name is a "certificate purpose", and the technical name is extendedKeyUsage aka EKU.)

Basically, if you check "Client Auth" here, you can easily filter the cert list for just those which have this usage permitted.

But

You can, however, find a very similar list in the information dialog of individual certificates, under the View button. It does allow removing specific usages, or – I think – adding new ones.

For example, if you have a cert with both "email" and "client auth" purposes, but only use it for email, you can use this to avoid clutter whenever your browser asks you to choose a client-auth cert.

I suppose this could be used for trusting server certs that lack the "server auth" purpose – although it would be somewhat incompetent for a server to even use such a cert...

user1686
  • 1,041
  • 8
  • 17
  • To confirm this, click the Advanced button and deselect everything except one easily recognizable checkbox, such as Microsoft Time Stamping, then click OK. At the top of the dialog, change the "Intended Purpose" pulldown to "". You'll see only a few Microsoft certificates that have this attribute. In other words, it's a very poorly labeled "filter" mechanism. – John Deters Jul 23 '15 at 19:40
  • How do you add/remove specific usages from **View**? I am not able to find any way. – user93353 Jul 24 '15 at 04:52
  • I was able to go to MMC->add certificates snap-in for local computer, go to trusted root and add properties for a certificate. This seems very strange - why should you be allowed to use a certificate for purposes other than what it's been issued for. – user93353 Jul 24 '15 at 05:30
1

That is a good thing that not all properties are check by default because trust should not be enabled by default.

As the Microsoft documentation says, the purpose of that property is:

Certificates that server programs use to authenticate themselves to clients.

Yes, not only the server needs to trust the client, but the client also can request the server to identify itself.

That is for the first part of your question. Now you ask:

Can you you write an ActiveX control or Applet on which if a user clicks, it will turn on this property?

No. That only means you request a remote computer (server in this case) to prove its identity. The applications you develop can be certified as being yours only if you sign them by yourself as when you develop an application under Android and you need to issue a private key yourself to auto-sign your applications without needing a public certificate authority.