This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Certificate Version
Certificate Version

Version management

Difference between version and

At line 1 added 65 lines
!!! Overview
The [{$pagename}] field is intended to facilitate orderly changes in [Certificate] formats over time.
!! [RFC 5280] [X.509v3]
This field describes the [version] of the encoded [certificate] and uses Zero-Based Indexing.
When [extensions|Certificate Extensions] are used, as expected in this profile, [version] [MUST] be 3 (value is 2). If no extensions are present, but a UniqueIdentifier is present, the [version] [SHOULD] be 2 (value is 1); however, the version [MAY] be 3.
If only basic fields are present, the version [SHOULD] be 1 (the value is omitted from the certificate as the default value); however, the version [MAY] be 2 or 3.
Implementations [SHOULD] be prepared to accept any version certificate. At a minimum, conforming implementations [MUST] recognize [version] [3|X.509v3] certificates.
Generation of version 2 [certificates] is not expected by implementations based on this profile.
!! [X.509 Style Guide]
Version ::= INTEGER { v1(0), v2(1), v3(2) }
This field is used mainly for marketing purposes to claim that software is [X.509v3] compliant (even when it isn't). The default version is v1(0), if the [issuerUniqueID] or [subjectUniqueID] are present than the version must be v2(1) or
v3(2). If extensions are present then the version must be v3(2). An implementation should target [v3|X.509v3] certificates, which is what everyone is moving towards.
Note that the version numbers are one less than the actual X.509 version because in the [ASN.1] world you start counting from 0, not 1 (although it's not necessary to use sequences of integers for version numbers. X.420, for
example, is under the impression that 2 is followed by 22 rather than the more generally accepted 3).
If your software generates v1 certificates, it's a good idea to actually mark them as such and not just mark everything as v3 whether it is or not. Although no standard actually forbids marking a v1 certificate as v3, backwards-
compatibility (as well as truth-in-advertising) considerations would indicate that a v1 certificate should be marked as such.
!! [CCITT]/[ISO]
The initial [{$pagename}] number for certificates used in [PEM] is the [X.509] default which has a value of zero (0), indicating the 1988 version. [PEM] implementations are encouraged to accept later versions as they are endorsed by [CCITT]/[ISO].
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [4.1.2.1 Version|https://tools.ietf.org/html/rfc5280#section-4.1.2.1|target='_blank'] - based on information obtained 2018-07-19
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop