Extended Key Usage (EKU) Explained: What It Means for Your Certificate

When checking your certificate with GuardSSL, you might see an Extended Key Usage field showing something like "serverAuth, clientAuth." What does this mean?

Understanding EKU in Simple Terms

Think of EKU as your certificate's license to operate—it specifies what the certificate is authorized to do.

Here's a real-world analogy: Your driver's license shows what vehicles you can drive—a Class C for cars, Class A for trucks, Class M for motorcycles. SSL certificates work the same way: EKU defines what purposes the certificate is allowed to serve.

Common EKU Values

Here are the values you might see in your scan results:

serverAuth (Server Authentication)

This is the most common EKU. When you see this, it means the certificate can be used for HTTPS websites—allowing the server to prove its identity to browsers.

Nearly every website SSL certificate has this EKU.

clientAuth (Client Authentication)

This EKU allows the certificate to be used for client-side authentication. Common scenarios include:

• Mutual TLS (mTLS)
• VPN client certificates
• Internal enterprise system authentication

Regular websites typically don't need this, but many certificates include both serverAuth and clientAuth.

codeSigning (Code Signing)

Used for signing software and code, proving the software comes from a trusted publisher:

• Application installers
• Device drivers
• Browser extensions

This EKU won't appear in website SSL certificates.

emailProtection (Email Protection)

Used for S/MIME email encryption and signing.

This is also a specialized certificate type, not used for websites.

OCSPSigning (OCSP Signing)

Used for signing OCSP responses (certificate status query answers).

This is for special CA certificates—your website certificate won't have this.

Why EKU Matters

Security Restrictions

EKU limits what a certificate can be used for, preventing misuse.

Consider this: if a website certificate could also sign software, an attacker who obtained that certificate could not only impersonate the website but also sign malware. EKU prevents such cross-purpose abuse.

Browser Verification

When you visit an HTTPS website, the browser checks the certificate's EKU:

1. Does the certificate have serverAuth?
2. If not, reject the connection

So a certificate with only codeSigning but no serverAuth cannot be used for websites.

What EKU Should Your Website Certificate Have?

Minimum Requirement

serverAuth

This alone is sufficient for a regular HTTPS website.

Common Configuration

serverAuth, clientAuth

Many certificates include both by default, providing more flexibility.

Not Needed

If your certificate is for a website, you don't need:

• codeSigning
• emailProtection
• OCSPSigning
• Other specialized purposes

EKU vs. Key Usage: What's the Difference?

You might also see a Key Usage field. Here's how they differ:

Field	Description	Examples
Key Usage	Low-level cryptographic operations allowed	digitalSignature, keyEncipherment
Extended Key Usage	High-level application purposes	serverAuth, clientAuth

Key Usage defines technical capabilities; EKU defines practical use cases. Together, they provide fine-grained permission control.

Checking EKU in GuardSSL

When you scan a website, the "Extended Key Usage" field shows a comma-separated list of EKUs.

Normal situation: Contains serverAuth

Worth noting:

• If this field is completely absent, it might be an older certificate format
• If it only contains other values without serverAuth, the certificate might not be designed for websites

Key Takeaways

• EKU defines what purposes a certificate can serve
• Website SSL certificates must have serverAuth
• clientAuth is optional, used for mutual authentication
• EKU is a security restriction preventing certificate misuse
• Regular websites don't need code signing, email protection, or other EKUs

Understanding EKU helps you verify your certificate is properly configured for its intended purpose.