Each extension in a certificate is designated as either critical or non-critical. A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize or a critical extension that contains information that it cannot process.
A non-critical extension MAY be ignored if it is not recognized, but MUST be processed if it is recognized.
The following sections present recommended extensions used within Internet certificates and standard locations for information. Communities may elect to use additional extensions; however, caution ought to be exercised in adopting any critical extensions in certificates that might prevent use in a general context.
Each extension includes an OID and an ASN.1 structure. When an extension appears in a certificate, the OID appears as the field extnID and the corresponding ASN.1 DER encoded structure is the value of the octet string extnValue. A certificate MUST NOT include more than one instance of a particular extension.
For example, a certificate may contain only one authority key identifier extension (Section 188.8.131.52). An extension includes the boolean critical, with a default value of FALSE. The text for each extension specifies the acceptable values for the critical field for CAs conforming to this profile.
Conforming CAs MUST support extensions:
- key identifiers - (Sections 184.108.40.206 and 220.127.116.11)
- basic constraints (Section 18.104.22.168)
- key usage (Section 22.214.171.124)
- certificate policies (Section 126.96.36.199))
At a minimum, applications conforming to this profile MUST recognize the following extensions:
- KeyUsage (Section 188.8.131.52)
- Certificate Policies (Section 184.108.40.206)
- Subject Alternative Name (Section 4.2.1.)
- Basic Constraints (Section 220.127.116.11)
- Name Constraints (Section 18.104.22.168)
- Policy Constraints (Section 22.214.171.124)
- Extended Key Usage (Section 126.96.36.199)
- Inhibit anyPolicy (Section 188.8.131.52).
In addition, applications conforming to this profile SHOULD recognize the authority and subject key identifier (Sections 184.108.40.206 and 220.127.116.11) and policy mappings (Section 18.104.22.168|https://tools.ietf.org/html/rfc5280#section-22.214.171.124]) extensions.
More Information#There might be more information for this subject on one of the following:
- [#1] - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile - based on information obtained 2015-05-24