Extended Key Usage (EKU) is a certificate extension that refines what specific applications or trust contexts a certificate is intended for. It matters because more granular purpose control helps relying systems avoid accepting a certificate in the wrong security context.
What is Extended Key Usage (EKU)?
EKU can indicate roles such as server authentication, client authentication, code signing, email protection, or other specific uses. Validation logic can use EKU to decide whether a certificate should be trusted for the exact task at hand.
What Extended Key Usage (EKU) Commonly Supports
Common uses include TLS server auth, client certificates, code signing, email security, and policy-aware certificate validation.
Extended Key Usage (EKU) vs. Broad Key Usage Only
EKU adds finer application context on top of broader key-usage signaling, making trust decisions more specific.
Frequently Asked Questions
Why is EKU helpful?
Because it helps prevent a certificate intended for one role from being reused carelessly in another role.
Can EKU solve all certificate misuse?
No. It helps, but trust stores, policies, path validation, and operational controls still matter too.
