critical or non-critical#Each Certificate Extensions in a certificate is designated as either critical or non-critical. A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize or a critical extension that contains information that it cannot process.
Certificate Extensions usage#The following sections present recommended extensions used within Internet certificates and standard locations for information. Communities may elect to use additional extensions; however, caution ought to be exercised in adopting any critical extensions in certificates that might prevent use in a general context.
Each extension includes an OID and an ASN.1 structure. When an extension appears in a certificate, the OID appears as the field extnID and the corresponding ASN.1 DER encoded structure is the value of the octet string extnValue. A certificate MUST NOT include more than one instance of a particular extension.
For example, a certificate may contain only one authority key identifier extension (Section 220.127.116.11). An extension includes the boolean critical, with a default value of FALSE. The text for each extension specifies the acceptable values for the critical field for CAs conforming to this profile.
Conforming CAs MUST support extensions:
- key identifiers - Authority Key Identifier and Subject Key IDentifier (Sections 18.104.22.168 and 22.214.171.124)
- basic constraints (Section 126.96.36.199)
- key usage (Section 188.8.131.52)
- certificate policies (Section 184.108.40.206))
At a minimum, applications conforming to this profile MUST recognize the following extensions:
- KeyUsage (Section 220.127.116.11)
- certificatePolicies (Section 18.104.22.168)
- Subject Alternative Name (Section 4.2.1.)
- basicConstraints (Section 22.214.171.124)
- nameConstraints (Section 126.96.36.199)
- policyConstraints (Section 188.8.131.52)
- extendedKeyUsage (Section 184.108.40.206)
- inhibitAnyPolicy (Section 220.127.116.11).
In addition, applications conforming to this profile SHOULD recognize the authority and subject key identifier (Sections 18.104.22.168 and 22.214.171.124) and policy mappings (Section 126.96.36.199|https://tools.ietf.org/html/rfc5280#section-188.8.131.52]) extensions.
More Information#There might be more information for this subject on one of the following:
- Example Certificate
- PKCS 6
- Subject Alternative Name
- [#1] - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile - based on information obtained 2015-05-24