Partager via


Configuring key usage

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Configuring key usage

Windows Server 2003, Standard Edition, establishes public and private keys when it issues certificates to subjects. The usage of these keys is configured by key usage and application policy. The key usage configuration is a basic constraint on the broad types of operations that can be performed with this certificate. There are several options, depending on what purpose has been configured for this certificate, either Signature or Encryption.

Signature

Setting Description

Digital signature

Data can be digitally signed by this certificate. This is the most basic signature operation.

Signature is proof of origin (nonrepudiation)

Data signed by this certificate can be traced back to the subject that provided the digital signature. This provides nonrepudiation of signatures and is useful in certificate-based transactions.

Certificate signing

This certificate can be used to sign other certificates. This option is normally granted to certificate managers and certificates used by certification authorities.

Certificate revocation list signing

This certificate can be used to sign certificate revocation lists (CRLs). This option is normally granted to certificate managers and certificates used by certification authorities.

Encryption

Setting Description

Allow key exchange without key encryption (key agreement)

This option configures the subject to use a key agreement protocol, such as Diffie-Hellman, to establish a symmetric key that can be used to encrypt and decrypt data between the subject and the intended target.

Allow key exchange only with key encryption (key encipherment)

This option will configure the subject to establish a symmetric key with a target by generating a symmetric key, encrypting it, and sending it to the target for decryption.

Allow encryption of user data

With this option, the subject can use the established symmetric key to encrypt and decrypt actual application data with the same key used for key establishment. This option is only available when Allow key exchange only with key encryption (key encipherment) is selected.

For more information on application policy, see Establishing application policies.