Certificate Extensions


The extensions defined for X.509v3 certificates provide methods for associating additional attributes with users or public keys and for managing relationships between CAs.

The X.509v3 certificate format also allows communities to define private extensions to carry information unique to those communities.

critical or non-critical#

Each Certificate Extensions in a certificate is designated as either critical or non-critical. A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize or a critical extension that contains information that it cannot process.

A non-critical extension MAY be ignored if it is not recognized, but MUST be processed if it is recognized.

Certificate Extensions usage#

The following sections present recommended extensions used within Internet certificates and standard locations for information. Communities may elect to use additional extensions; however, caution ought to be exercised in adopting any critical extensions in certificates that might prevent use in a general context.

Each extension includes an OID and an ASN.1 structure. When an extension appears in a certificate, the OID appears as the field extnID and the corresponding ASN.1 DER encoded structure is the value of the octet string extnValue. A certificate MUST NOT include more than one instance of a particular extension.

For example, a certificate may contain only one authority key identifier extension (Section An extension includes the boolean critical, with a default value of FALSE. The text for each extension specifies the acceptable values for the critical field for CAs conforming to this profile.

Conforming CAs MUST support Certificate Extensions:

If the CA issues certificates with an empty sequence for the subject field, the CA MUST support the subject alternative name extension (Section Support for the remaining extensions is OPTIONAL. Conforming CAs MAY support extensions that are not identified within this specification; certificate issuers are cautioned that marking such extensions as critical may inhibit interoperability.

At a minimum, applications conforming to this profile MUST recognize the following extensions:

In addition, applications conforming to this profile SHOULD recognize the authority and subject key identifier (Sections and and policy mappings (Section|https://tools.ietf.org/html/rfc5280#section-]) extensions.

More Information#

There might be more information for this subject on one of the following: