For end-entity certificates you can use any of the other keyUsages as documented by openssl, just make sure you do not include the CA-extensions mentioned above. From a security perspective, you should not use more keyUsages then neccesary (especially it is advised to use seperate certificates for signing and encryption), but that is not a strict requirement.

OpenSSL certificate verification and X.509v3 extensions. Before getting to the topic (verifying PKCS#7 structures), look at how OpenSSL verifies certificates. Both command-line openssl verify and C API X509_verify_cert() have a notion of purpose, explained in the section CERTIFICATE EXTENSIONS of man x509. This notion seems to be particular to keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = critical, serverAuth subjectAltName = @alt_names. ##The other names your server may be connected to as [alt_names] The basicConstraints, keyUsage and extended key usage extensions are now used instead. Acceptable values for nsCertType are: client, server, email, objsign, reserved, sslCA, emailCA, objCA. Arbitrary Extensions. If an extension is not supported by the OpenSSL code then it must be encoded using the arbitrary extension format. Self-signed certificates and keyUsage extension. Must non-CA, self-signed certificates have the "keyCertSign" bit set in the keyUsage extension to be "valid?" If I don't have the bit set and execute # See the POLICY FORMAT section of the `ca` man page. countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [req ] # Options for the `req` tool (`man req`). default_bits = 2048 distinguished_name = req Jun 23, 2020 · openssl genrsa -out dev.deliciousbrains.com.key 2048 Then we create a CSR: openssl req -new -key dev.deliciousbrains.com.key -out dev.deliciousbrains.com.csr You’ll get all the same questions as you did above and, again, your answers don’t matter.

# This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash: authorityKeyIdentifier=keyid,issuer

keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = alternatename1 DNS.2 = alternatename2 IP.1 = 10.191.84.22 IP.2 = 10.191.84.23. The alternate names I have used are alternatename1 and alternatename2. $ openssl ca -config config/openssl.cnf -in csr/ < your >.csr -out newcerts/ < your >.crt -extensions v3_intermediate_ca where openssl.cnf has a section much like the following: [ v3_intermediate_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical,CA:true,pathlen:0 keyUsage = critical

The basicConstraints, keyUsage and extended key usage extensions are now used instead. Acceptable values for nsCertType are: client, server, email, objsign, reserved, sslCA, emailCA, objCA. Arbitrary Extensions. If an extension is not supported by the OpenSSL code then it must be encoded using the arbitrary extension format.

# This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash: authorityKeyIdentifier=keyid,issuer Here's an example for adding a set of S/MIME client capability extensions when signing an S/MIME user cert, taken from an example on the OpenSSL mailing list: [my_cert_extensions] basicConstraints = CA:FALSE keyUsage = critical, keyEncipherment, dataEncipherment SMIME-CAPS = ASN1:SEQUENCE:smime_seq subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer [ smime_seq ] SMIMECapability These purposes may be specified in addition to those of the KeyUsage extension, or in place of those. The ASN.1 definition of the ExtendedKeyUsage extension is specified as follows: ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId KeyPurposeId ::= OBJECT IDENTIFIER Key purposes may be defined by any organization with a need. [ usr_cert ] basicConstraints=CA:FALSE nsCertType = client, server, email keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash: authorityKeyIdentifier=keyid,issuer