OpenSSL x509 Purpose flag "Any Purpose" What is this?

certificate openssl x509 flags

20,621

Solution 1

The Any Purpose : Yes and Any Purpose CA : Yes lines from the openssl x509 -purpose are special. It is openssl specific and represents what the certificate will be validated for when used with ancient software versions that do not check for extensions.

These specific purpose flags can not be turned off or disabled. From openssl source purpose checking is defined in openssl/crypto/x509v3/v3_purp.c as static X509_PURPOSE xstandard[] = { … }. The X509_PURPOSE_ANY check validation function returns 1.

The closest to official documentation on this flag is probably these posts by Dr Stephen N. Henson who authored v3_purp.c - http://marc.info/?l=openssl-users&m=96219426811480 and http://openssl.6102.n7.nabble.com/quot-critical-CA-FALSE-quot-but-quot-Any-Purpose-CA-Yes-quot-td29933.html.

To quote Steve:

'The "Any Purpose" setting is something which lets anything through and performs no checks at all. It was put there originally as a way for people to use broken certificates if they had no other choice and could live with the consequences... Since then CA checks have been made mandatory in the code even if "Any Purpose" is set. So if you actually tried to use that certificate as a CA it would be rejected.'

Solution 2

The KeyUsage is a v3 extension, which may or may not be present in a certificate.

A useful (if slightly dated) summary of id-ce-keyUsage values: http://www.alvestrand.no/objectid/2.5.29.15.html [newly added values are 7 = encipherOnly and 8 = decipherOnly]

The trick is that this "OID=2.5.29.15 keyUsage extension" /might or might not/ be present in a particular certificate.

What OpenSSL probably presumes with PURPOSE_ANY, is that this extension was /not present/, and that it's therefore "up to your own policy" to decide what to use or not use it for. Otherwise, there's no bitmap value that corresponds to "ANY"...

Solution 3

Usually I set "AnyPurpose" on Root CA (meaning this is root and can issue certificates to any other intermediate or sub CA), and then, when issuing the intermediates CA I set the restrictions...

My Root CA have:

AnyPolice 2.5.29.32.0,
CA:True 2.5.4.37,
AnyPurpose 2.5.29.15,
DigitalSignature 2.5.4.37.3,
CRL Distribution Points 2.5.29.31,

On my intermediate TLS CA for Example I set:

Web ServerAuth TLS 1.3.6.1.5.5.7.3.1,
Web ClientAuth 1.3.6.1.5.5.7.3.2

This is limit the TLS CA from inheritance from all attributes from Root CA (the restrictive OIDs apllied here will allow only sign TLS certificates and with pathlen:0 I will forbidden sub CAs).

Everything depends how you set your PKI infrastructure.

On my network I do one intermediate CA per purpose, example:

Intermediate CA for Emails
Intermediate CA for TLS
Intermediate CA for Software
Intermediate CA for Identity
Intermediate CA for Components

This way if there an problem with an mail certificate, I only need revoke the Email CA while all other Intermediate CA are fine.

Big Certification Authorities have for example an dedicated intermediate CA to EV.

Note: This is for personal PKI, if you wish do something following RFCs and best practices like big Certification Authorities do, then there a lot of extra stpes, like include much more OIDs and setup all them...

For example you can read some of the standards on this link:

https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1.pdf

Another example, for EV certificates there a lot of extra steps setup OIDs:

Domain Validated 2.23.140.1.2.1
Organization Validated 2.23.140.1.2.2

And since my setup do not need those, I don`t spended my time searching and testing the necessary OIDs for get this working

Solution 4

In X.509 certificates, as in most other things, if a term is not explicitly defined then it inherits the meaning from its immediately-surrounding context. If that context is "life", then the phrase "Any Purpose" means literally that.

So, check the Certificate Policy, Subscriber Agreement, and Relying Party Agreement of the issuing CA, and if they say nothing about the flag then it means what it says on the box.

View more solutions

20,621

Nick

Updated on September 17, 2022

Comments

Nick over 1 year
Looking at the details of a certificate using the following:
```
openssl x509 -noout -text -purpose -in mycert.pem
```
I find a bunch of purpose flags (which I've discovered are set by the various extensions attached to a certificate).

One of these purpose flags is "Any Purpose". I can't seem to find ANY documentation on this flag and why or why not it is set.

Do any of you know where I can find more information on this purpose and what it means?

Thanks,
Nick over 14 years

I was not asking what all of the other purpose bools represented, I was asking what the "Any Purpose" was and how it was set. This is not defined in either of the two links you sent me.
tajh over 14 years

Your are right, that flag is not explicitly documented, I assumed that "Any Purpose" would mean any of the purposes listed. I looked at the code in openssl/crypto/x509v3/v3_purp.c and crypto/x509v3/x509v3.h. grep the source tree for: X509_PURPOSE_ANY I interpret it as being an extension of the certificate that means the cert is suitable for any purpose. i.e. that flag is just another x.509 certificate extension.
Falcon Momot over 11 years

The policy, subscriber agreement, and relying party agreement shouldn't have any technical impact on the certificate's use.
mlp over 11 years

@Falcon - those documents are the immediate context for the certificate, and ultimately define how a human interprets it. There can be no "technical impact" other than "this flag is set" - human interpretation is all.