# Whether this is a CA certificate or not
#ca
-# for microsoft smart card logon
-# key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
-
-### Other predefined key purpose OIDs
-
-# Whether this certificate will be used for a TLS client
-#tls_www_client
+#### Key usage
-# Whether this certificate will be used for a TLS server
-#tls_www_server
+# The following key usage flags are used by CAs and end certificates
# Whether this certificate will be used to sign data (needed
# in TLS DHE ciphersuites).
# Whether this key will be used to sign CRLs.
#crl_signing_key
-# Whether this key will be used to sign code.
+
+#### Extended key usage (key purposes)
+
+# The following extensions are used in an end certificate
+# to clarify its purpose. Some CAs also use it to indicate
+# the types of certificates they are purposed to sign.
+
+# Whether this certificate will be used for a TLS client;
+# this sets the id-kp-serverAuth of extended key usage.
+#tls_www_client
+
+# Whether this certificate will be used for a TLS server;
+# This sets the id-kp-clientAuth of extended key usage.
+#tls_www_server
+
+# Whether this key will be used to sign code. This sets the
+# id-kp-codeSigning of extended key usage extension.
#code_signing_key
-# Whether this key will be used to sign OCSP data.
+# Whether this key will be used to sign OCSP data. This sets the
+# id-kp-OCSPSigning of extended key usage extension.
#ocsp_signing_key
-# Whether this key will be used for time stamping.
+# Whether this key will be used for time stamping. This sets the
+# id-kp-timeStamping of extended key usage extension.
#time_stamping_key
+# Whether this key will be used for email protection. This sets the
+# id-kp-emailProtection of extended key usage extension.
+#email_protection_key
+
# Whether this key will be used for IPsec IKE operations.
#ipsec_ike_key
+## adding custom key purpose OIDs
+
+# for microsoft smart card logon
+# key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
+
+# for email protection
+# key_purpose_oid = 1.3.6.1.5.5.7.3.4
+
+# for any purpose (must not be used in intermediate CA certificates)
+# key_purpose_oid = 2.5.29.37.0
+
### end of key purpose OIDs
# When generating a certificate from a certificate