Use when the public key is used with a digital
signature mechanism to support security services other than non-repudiation,
certificate signing, or CRL signing. A digital signature is often
used for entity authentication and data origin authentication with
integrity.
Non-repudiation
Use when the public key is used to verify digital
signatures used to provide a non-repudiation service. Non-repudiation
protects against the signing entity falsely denying some action (excluding
certificate or CRL signing).
Key encipherment
Use when a certificate will be used with a
protocol that encrypts keys. An example is S/MIME enveloping, where
a fast (symmetric) key is encrypted with the public key from the certificate.
SSL protocol also performs key encipherment.
Data encipherment
Use when the public key is used for encrypting
user data, other than cryptographic keys.
Key agreement
Use when the sender and receiver of the public
key need to derive the key without using encryption. This key can
then can be used to encrypt messages between the sender and receiver.
Key agreement is typically used with Diffie-Hellman ciphers.
Certificate signing
Use when the subject public key is used to
verify a signature on certificates. This extension can be used only
in CA certificates.
CRL signing
Use when the subject public key is to verify
a signature on revocation information, such as a CRL.
Encipher only
Use only when key agreement is also enabled.
This enables the public key to be used only for enciphering data while
performing key agreement.
Decipher only
Use only when key agreement is also enabled.
This enables the public key to be used only for deciphering data while
performing key agreement.
Extended Key usage:
Extended key
Enable for these key usage extensions
TLS Web server authentication
Digital signature, key encipherment or key
agreement
TLS Web client authentication
Digital signature and/or key agreement
Sign (downloadable) executable code
Digital signature
Email protection
Digital signature, non-repudiation, and/or
key encipherment or key agreement
IPSEC End System (host or router)
Digital signature and/or key encipherment or
key agreement
IPSEC Tunnel
Digital signature and/or key encipherment or
key agreement
IPSEC User
Digital signature and/or key encipherment or
key agreement