Each extension in a certificate is designated as either critical or non-critical. A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize or a critical extension that contains information that it cannot process.
A non-critical extension MAY be ignored if it is not recognized, but MUST be processed if it is recognized.
The following sections present recommended extensions used within Internet certificates and standard locations for information. Communities may elect to use additional extensions; however, caution ought to be exercised in adopting any critical extensions in certificates that might prevent use in a general context.
Each extension includes an OID and an ASN.1 structure. When an extension appears in a certificate, the OID appears as the field extnID and the corresponding ASN.1 DER encoded structure is the value of the octet string extnValue. A certificate MUST NOT include more than one instance of a particular extension.
For example, a certificate may contain only one authority key identifier extension (Section 22.214.171.124). An extension includes the boolean critical, with a default value of FALSE. The text for each extension specifies the acceptable values for the critical field for CAs conforming to this profile.
Conforming CAs MUST support extensions:
- key identifiers - (Sections 126.96.36.199 and 188.8.131.52)
- basic constraints (Section 184.108.40.206)
- key usage (Section 220.127.116.11)
- certificate policies (Section 18.104.22.168))
At a minimum, applications conforming to this profile MUST recognize the following extensions:
- KeyUsage (Section 22.214.171.124)
- certificatePolicies (Section 126.96.36.199)
- Subject Alternative Name (Section 4.2.1.)
- basicConstraints (Section 188.8.131.52)
- nameConstraints (Section 184.108.40.206)
- policyConstraints (Section 220.127.116.11)
- extendedKeyUsage (Section 18.104.22.168)
- inhibitAnyPolicy (Section 22.214.171.124).
In addition, applications conforming to this profile SHOULD recognize the authority and subject key identifier (Sections 126.96.36.199 and 188.8.131.52) and policy mappings (Section 184.108.40.206|https://tools.ietf.org/html/rfc5280#section-220.127.116.11]) extensions.
More Information#There might be more information for this subject on one of the following:
- [#1] - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile - based on information obtained 2015-05-24