没有签名功能的 x509 客户端证书

Question

i'm currently experimenting with X509 Certificates.

As i tested, i just signed a Apple Configuration (.mobileconfig) with the same cert. Which shows as perfectly valid (when Root CA is installed of course)

I signed the.mobileconfig with

openssl smime -sign

Now is my question, is there a possibility to remove those signing capabilities from the client cert. Or is it there by default?

I also tried fiddling around with KeyUsage and ExtendedKeyUsage but nothing seemed to have worked.

My Goal is to have a Client cert for a user to use with EAP-TLS for radius auth. Without the possibility for the user to sign files.

Answer 1

My Goal is to have a Client cert for a user to use with EAP-TLS for radius auth. Without the possibility for the user to sign files.

You can't really prevent anyone from using the private key associated with their X509 certificate from signing things. Unless you control every bit of software they can use with that private key, they can just use something that ignores the key usage extensions listed on the X509 certificate.

What you can do is simply not respect any signature that can't be validated by an X509 certificate with the digitalSignature extension.

"Your X509 cert I'm supposed to use to validate your signature doesn't have the digitalSignature bit set. This signature is invalid."

Hopefully any software product you're using requires the proper certificate properties to exist on the X509 certificate used to validate a signature.

Among many ways to see the properties of an X509 certificate:

openssl x509 -in /path/to/cert.pem -noout -text

For a combined cert/private key in PKCS#12 format:

openssl pcks12 -in /path/to/key.p12 -nokeys | openssl x509 -noout -text

(Note that I haven't tested these openssl... examples - they may not be fully correct...)