客户端验证（1.3.6.1.5.5.7.3.2）服务器证书中的OID [英] Client Authentication (1.3.6.1.5.5.7.3.2) OID in server certificates

问题描述

对于我正在开发的项目，我必须生成Web服务器证书。
据我所知，服务器证书应该包含服务器认证OID（1.3.6.1.5.5.7.3.1）。但是，我看到由知名发行者（如Verisign）发出的所有服务器证书还包含客户端认证OID（1.3.6.1.5.5.7.3.2）。

我试图使用只有服务器身份验证的证书OID - 似乎它工作正常。

问题

• 为什么服务器证书需要客户端认证OID？


• 是否需要一些旧版支持或有其他原因吗？

对于使用证书作为服务器（在

在双向SSL连接中，客户端（在 em>启动连接结束）将证书送回服务器，它必须具有客户端扩展密钥用法。

如果您从未使用过证书作为客户端证书，您将不需要客户端身份验证OID。

For a project I'm working on I have to generate web server certificate. As I understand it, server certificates should contain the Server Authentication OID (1.3.6.1.5.5.7.3.1). But as I see all server certificates issued by well known issuers like Verisign contain also Client Authentication OID (1.3.6.1.5.5.7.3.2).

I tried to use certificate with only server authentication OID - seems it works fine.

Questions

• Why is the client authentication OID needed for server certificates?
• Is it needed for some legacy support or there is another reason for it?

解决方案

The difference between the two is exactly how they're described.

For using a certificate as a server (on the receiving end of the connection), it must have the Server extended key usage.

In a 2-way SSL connection, where the client (on the initiating end of the connection) presents a certificate back to the server, it must have the Client extended key usage.

If you're never using the certificate as a client cert, you won't need the Client Authentication OID.

这篇关于客户端验证（1.3.6.1.5.5.7.3.2）服务器证书中的OID的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！