Skip to main content

2.2. New Section 4.5 - Extended Key Usage

2.2. New Section 4.5 - Extended Key Usage

The following subsection introduces a new extended key usage for CMP servers authorized to centrally generate key pairs on behalf of end entities.

Insert this section after Section 4.4.3 of [RFC4210]:

4.5. Extended Key Usage

The extended key usage (EKU) extension indicates the purposes for which the certified key pair may be used. Therefore, it restricts the use of a certificate to specific applications.

A CA may want to delegate parts of its duties to other PKI management entities. This section provides a mechanism to both prove this delegation and enable an automated means for checking the authorization of this delegation. Such delegation may also be expressed by other means, e.g., explicit configuration.

To offer automatic validation for the delegation of a role by a CA to another entity, the certificates used for CMP message protection or signed data for central key generation MUST be issued by the delegating CA and MUST contain the respective EKUs. This proves the authorization of this entity by delegating CA to act in the given role, as described below.

The OIDs to be used for these EKUs are:

id-kp-cmcCA OBJECT IDENTIFIER ::= {
   iso(1) identified-organization(3) dod(6) internet(1)
   security(5) mechanisms(5) pkix(7) kp(3) 27 }

id-kp-cmcRA OBJECT IDENTIFIER ::= {
   iso(1) identified-organization(3) dod(6) internet(1)
   security(5) mechanisms(5) pkix(7) kp(3) 28 }

id-kp-cmKGA OBJECT IDENTIFIER ::= {
   iso(1) identified-organization(3) dod(6) internet(1)
   security(5) mechanisms(5) pkix(7) kp(3) 32 }

Note: Section 2.10 of [RFC6402] specifies OIDs for a Certificate Management over CMS (CMC) CA and a CMC RA. As the functionality of a CA and RA is not specific to any certificate management protocol (such as CMC or CMP), these EKUs are reused by CMP.

The meaning of the id-kp-cmKGA EKU is as follows:

CMP KGA: CMP key generation authorities are CAs or are identified by the id-kp-cmKGA extended key usage. The CMP KGA knows the private key it generated on behalf of the end entity. This is a very sensitive service and needs specific authorization, which by default is with the CA certificate itself. The CA may delegate its authorization by placing the id-kp-cmKGA extended key usage in the certificate used to authenticate the origin of the generated private key. The authorization may also be determined through local configuration of the end entity.

Last updated on