Each extension in a certificate is designated as either critical or non-critical. A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize or a critical extension that contains information that it cannot process.
A non-critical extension MAY be ignored if it is not recognized, but MUST be processed if it is recognized.
The following sections present recommended extensions used within Internet certificates and standard locations for information. Communities may elect to use additional extensions; however, caution ought to be exercised in adopting any critical extensions in certificates that might prevent use in a general context.
Each extension includes an OID and an ASN.1 structure. When an extension appears in a certificate, the OID appears as the field extnID and the corresponding ASN.1 DER encoded structure is the value of the octet string extnValue. A certificate MUST NOT include more than one instance of a particular extension.
For example, a certificate may contain only one authority key identifier extension (Section 126.96.36.199). An extension includes the boolean critical, with a default value of FALSE. The text for each extension specifies the acceptable values for the critical field for CAs conforming to this profile.
Conforming CAs MUST support extensions:
- key identifiers - (Sections 188.8.131.52 and 184.108.40.206)
- basic constraints (Section 220.127.116.11)
- key usage (Section 18.104.22.168)
- certificate policies (Section 22.214.171.124))
At a minimum, applications conforming to this profile MUST recognize the following extensions:
- Key Usage (Section 126.96.36.199)
- Certificate Policies (Section 188.8.131.52)
- Subject Alternative Name (Section 4.2.1.)
- Basic Constraints (Section 184.108.40.206)
- Name Constraints (Section 220.127.116.11)
- Policy Constraints (Section 18.104.22.168)
- Extended Key Usage (Section 22.214.171.124)
- Inhibit anyPolicy (Section 126.96.36.199).
In addition, applications conforming to this profile SHOULD recognize the authority and subject key identifier (Sections 188.8.131.52 and 184.108.40.206) and policy mappings (Section 220.127.116.11|https://tools.ietf.org/html/rfc5280#section-18.104.22.168]) extensions.
More Information#There might be more information for this subject on one of the following:
- [#1] - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile - based on information obtained 2015-05-24