search cancel

ACF2 CHKCERT shows certificate key usage is blank after INSERTing signed certificate


Article ID: 228184


Updated On:




When using an ACF2 GENCERT command to create a new certificate, the KEYUSAGE(HANDSHAKE) is specified. After receiving the signed certificate back from the CA and INSERTing it, a CHKCERT command shows nothing on the KEY USAGE section.  Why does it not show HANDSHAKE?


Specifying a Key Usage of HANDSHAKE sets the digitalSignature and keyEncipherment bits in the keyUsage extension. The CA has the ability to change these settings. If one of those bits is not specified on the signed certificate, the certificate is no longer valid for a key usage of HANDSHAKE and the Key Usage field on the CHKCERT is blank. Running the SAFCRRPT report with the EXT parameter will reveal what bits are set. The CA that signed the certificate will need to be notified that the bit is required and a new signed certificate will need to be issued.

Note: If the certificate is GENCERTed using the DSA, NISTECC, or BPECC key word, only digitalSignature is set for this usage. Only the digitalSignature bit is set because the keys cannot be used for encryption.