Skip to main content

Extended key usage extension

Define the allowed or required key usage extensions in the certificate.

Example JSON

"extended_key_usage":
{
	"critical":true,
    "allow_critical_override":true,
	"required_usages":
	[
		"server_authentication",
        {"oid": "1.2.4567.334"},
        {"oid":"1.3.6.1.5.5.7.3.17", "name": "IPSec IKE"},
        {"name": "document_signing"}
	],
	"optional_usages":
	[
		"client_authentication",
		"1.2.4567.334"
	]
}

Parameters

Name

Type

Req/Opt

Description

extended_key_usage

object

required

Extended key usage extension details.

critical

boolean

optional

Indicate if the extension will be marked critical or not. Defaults to false.

allow_critical_override

boolean

optional

Indicate if the critical flag can be overridden. Defaults to false.

required_usages

array of strings or OIDObjects

optional

DRAFTA list of EKUs that will always be included in the certificate. The list can contain OIDs or any of the following predefined values:DRAFT

optional_usages

array of strings or OIDObjects

optional

DRAFTA list of additional EKUs that can be included in the certificate. The list can contain OIDs or a predefined value (see the required_usages section).DRAFT

oid

string

optional

Specify the OID that must be used.

name

string

optional

Specify the name of the OID that must be used. If OID is provided, this field can be used as a description field.

Valid OID names

Name

server_authentication

client_authentication

code_signing

email_protection

smart_card_logon

time_stamping

adobe_cds

document_signing

microsoft_document_signing

encrypting_file_system

key_purpose_kdc

enrollment_agent

intel_amt

general_document_signing

key_recovery_agent

bitlocker_drive_encryption

bitlocker_data_recovery_agent

: