We are getting below error while verifying a signature using certificate given by counter party:
Certificate key usage or extended key usage disallowed by key usage enforcement policy for activity
Key Usage of Certificate : Digital Signature, Non-Repudiation (c0)
Enhanced Key Usage of Certifiacte : Secure Email (220.127.116.11.18.104.22.168.4)Document Signing (22.214.171.124.4.1.3126.96.36.199)Unknown Key Usage (1.2.840.1135188.8.131.52)
Is there any specific list of key usage, which will be allowed for verification? If yes, is there any way to override that. Please help.
The error indicates that the certificate includes further attributes that the Gateway can't handle by default. These attributes are inserted for a specific purpose. In order to handle such attributes, there are two options:Option 1: You can ignore key usage enforcement by setting the following cluster property:pkix.keyUsage = IGNORE***Note: This will require a Gateway restart to go into affect***Details about this cluster-wide property can be found here:https://docops.ca.com/ca-api-gateway/8-4/en/cluster-properties/certificate-validation-cluster-properties Option 2: You can implement your own key usage enforcement policy based on the information here:https://docops.ca.com/ca-api-gateway/8-3/en/publish-services-and-configure-policies/working-with-policies/key-usage-enforcement-policy
Director, CA Support