Defining KeySpec to “both” in a certreq -new policy inf file
https://stackoverflow.com/questions/10410812
-
05-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am using certreq -new and have a policy file in inf-format. I would like to set the "KeySpec" paramter to "both" and the documentation tells me it is possible. But it doesn't tell me how:
The KeySpec determines if the key can be used for signatures, for Exchange (encryption), or for both.
While signatures are defined by "2" and encryption (exchange) is set by "1". Entering 0 produces a signature spec, entering 3 tells me it doesn't know what "3" should be.
Anyone know how to define KeySpec for both?
Solution
For anyone interested I figured this out. KeySpec 2 means signatures only, KeySpec 1 means both and to limit a key to encryption only, use EncipherOnly option.
Also a related note, because I stumpled upon it: Using KeyLength=2048 does not work with KeySpec=1 with the "Microsoft Base Cryptographic Provider", you have to choose another one (use cerutil -csplist to find one).
