What type of X509 Certificate to use for XML Signature?

Question

I'm currently developing some software that uses XML Signing to transfer files securely between two machines. We're using X.509 certificates from our own CA as keys.

The CA (Windows 2003 server) offers several types of certificates (Email Cert, Server Cert, ...)

Which one of those would I need to generate for XML Signature? To my knowlede for signing a cert needs the "digital signing" extension, but how does that map to what Windows Server 2003 offers when filling out a certificte request?

Also helpful would be some pointers to good documentation, google searches regarding x509 drown in white noise of articles concerning other topics around certificates.

Answer 1

If you open up the microsoft CA in administrative tools. At the bottom of the tree you will see certificate templates. Right Click and you will get the option to Manage. Select this.

A new window will open with all the certificate templates listed. You will then be able to view their properties. These will be presented as a tabbed display. On one of the tabs will be listed the purposes. Here you will see things like signing or key encipherment. You will be able to choose which template to use. A server one should be fine.

Id be more exact but I havent the CA in front of me.

Having selected which on to use make sure it is published.

Go to the first window and see if its in the list of published templates.

If not right click on Manage templates and from all tasks select publish. This will give you the option to publish.

Answer 2

A XML Signature is just the format the signature is stored in, you do not need special key usages for XML Signatures itself.