<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview[1]
The extensions defined for [X.509v3] [certificates] provide methods for associating additional [attributes] with users or [Public Keys] and for managing [relationships] between [Certificate Authorities|Certificate Authority].  


The [X.509v3] [certificate] format also allows communities to define private extensions to carry information unique to those communities.  


!! critical or non-critical
Each [{$pagename}] in a certificate is designated as either critical or non-critical. A [certificate]-using system [MUST] reject the certificate if it encounters a __critical__ extension it does not recognize or a critical extension that contains information that it cannot process.  

A non-critical extension [MAY] be ignored if it is not recognized, but [MUST] be processed if it is recognized.  

!! [{$pagename}] usage
The following sections present recommended extensions used within Internet certificates and standard locations for information.  Communities may elect to use additional extensions; however, caution ought to be exercised in adopting any critical extensions in certificates that might prevent use in a general context.


Each extension includes an [OID] and an [ASN.1] structure.  When an [{$pagename}] appears in a [certificate], the [OID] appears as the field extnID and the corresponding [ASN.1] [DER] encoded structure is the value of the octet string extnValue.  A [certificate] __MUST NOT__ include more than one instance of a particular extension.  

For example, a certificate may contain only one [authority key identifier extension|AuthorityKeyIdentifier] ([Section 4.2.1.1|https://tools.ietf.org/html/rfc5280#section-4.2.1.1]).  An extension includes the [Boolean] critical, with a default value of FALSE.  The text for each extension specifies the acceptable values for the critical field for CAs conforming to this profile.

Conforming [CAs|Certificate Authority] [MUST] support [{$pagename}]:
* key identifiers - [Authority Key Identifier|AuthorityKeyIdentifier] and [Subject Key IDentifier|SubjectKeyIdentifier] ([Sections 4.2.1.1|https://tools.ietf.org/html/rfc5280#section-4.2.1.1] and [4.2.1.2|https://tools.ietf.org/html/rfc5280#section-4.2.1.2])
* [basic constraints|BasicConstraints] ([Section 4.2.1.9|https://tools.ietf.org/html/rfc5280#section-4.2.1.9])
* [KeyUsage] ([Section 4.2.1.3|https://tools.ietf.org/html/rfc5280#section-4.2.1.3])
* [Certificate Policies] ([Section 4.2.1.4|https://tools.ietf.org/html/rfc5280#section-4.2.1.4]))  
If the CA issues certificates with an empty sequence for the [subject field], the CA [MUST] support the [Subject Alternative Name] extension ([Section 4.2.1.6|https://tools.ietf.org/html/rfc5280#section-4.2.1.6]).
  
Support for the remaining extensions is __OPTIONAL__. Conforming CAs MAY support extensions that are not identified within this specification; certificate issuers are cautioned that marking such extensions as critical may inhibit interoperability.

At a minimum, applications conforming to this profile __MUST__ recognize the following extensions: 
* [KeyUsage] ([Section 4.2.1.3|https://tools.ietf.org/html/rfc5280#section-4.2.1.3])
* [Certificate Policies] ([Section 4.2.1.4|https://tools.ietf.org/html/rfc5280#section-4.2.1.4])
* [Subject Alternative Name] ([Section 4.2.1.|https://tools.ietf.org/html/rfc5280#section-4.2.1.6])
* [basicConstraints] ([Section 4.2.1.9|https://tools.ietf.org/html/rfc5280#section-4.2.1.9])
* [nameConstraints] ([Section 4.2.1.10|https://tools.ietf.org/html/rfc5280#section-4.2.1.10])
* [policyConstraints] ([Section 4.2.1.11|https://tools.ietf.org/html/rfc5280#section-4.2.1.11])
* [extendedKeyUsage] ([Section 4.2.1.12|https://tools.ietf.org/html/rfc5280#section-4.2.1.12])
* [inhibitAnyPolicy] ([Section 4.2.1.14|https://tools.ietf.org/html/rfc5280#section-4.2.1.14]).

In addition, applications conforming to this profile __SHOULD__ recognize the [authority|AuthorityKeyIdentifier] and [Subject Key IDentifier|SubjectKeyIdentifier] ([Sections 4.2.1.1|https://tools.ietf.org/html/rfc5280#section-4.2.1.1] and [4.2.1.2|https://tools.ietf.org/html/rfc5280#section-4.2.1.1]) and policy mappings (Section 4.2.1.5|https://tools.ietf.org/html/rfc5280#section-4.2.1.5]) extensions.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile|https://tools.ietf.org/html/rfc5280#page-26|target='_blank'] - based on information obtained 2015-05-24
* [#2] - [4.1.1.9 Extensions|https://tools.ietf.org/html/rfc5280#section-4.1.1.9|target='_blank'] - based on information obtained 2018-07-19 
* [#3] - [4.1.2 Certificate Extensions|https://tools.ietf.org/html/rfc5280#section-4.2|target='_blank'] - based on information obtained 2018-07-19 








































































































</pre>