Standard X.509 v3 Certificate Extensions348 Netscape Certificate Management System Plug-Ins Guide • March 2002Microsoft RecommendationMicrosoft products do not examine this extension. Microsoft recommends that, forthe purposes of building certificate chains, authorityKeyIdentifier be used ratherthan issuerAltName or the certificate’s issuer name.keyUsageOID2.5.29.15Referencehttp://www.ietf.org/rfc/rfc2459.txt 4.2.1.3CriticalityThis extension may be critical or noncritical. PKIX Part 1 recommends that itshould be marked critical if it is used.DiscussionThe Key Usage extension defines the purpose of the key contained in the certificate.The Key Usage, Extended Key Usage, Basic Constraints, and Netscape CertificateType extensions act together to specify the purposes for which a certificate can beused. For more information on interactions between these extensions in CAcertificates, see “CA Certificates and Extension Interactions” on page 368.If this extension is included at all, set the bits as follows:• digitalSignature (0) for SSL client certificates, S/MIME signing certificates,and object-signing certificates.• nonRepudiation (1) for some S/MIME signing certificates and object-signingcertificates. Note, however, that the use of this bit is controversial. You shouldcarefully consider the legal consequences of its use before setting it for anycertificate.• keyEncipherment (2) for SSL server certificates and S/MIME encryptioncertificates.• dataEncipherment (3) when the subjects’s public key is used to encipher userdata (as opposed to key material).• keyAgreement (4) whenever the subject’s public key is used for key agreement.• keyCertSign (5) for all CA signing certificates• cRLSign (6) for CA signing certificates that are used to sign CRLs