Overview[1]#
The extensions defined for X.509v3 certificates provide methods for associating additional attributes with users or Public Keys and for managing relationships between Certificate Authorities.The X.509v3 certificate format also allows communities to define private extensions to carry information unique to those communities.
critical or non-critical#
Each Certificate Extensions in a certificate is designated as either critical or non-critical. A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize or a critical extension that contains information that it cannot process.A non-critical extension MAY be ignored if it is not recognized, but MUST be processed if it is recognized.
Certificate Extensions usage#
The following sections present recommended extensions used within Internet certificates and standard locations for information. Communities may elect to use additional extensions; however, caution ought to be exercised in adopting any critical extensions in certificates that might prevent use in a general context.Each extension includes an OID and an ASN.1 structure. When an Certificate Extensions appears in a certificate, the OID appears as the field extnID and the corresponding ASN.1 DER encoded structure is the value of the octet string extnValue. A certificate MUST NOT include more than one instance of a particular extension.
For example, a certificate may contain only one authority key identifier extension (Section 4.2.1.1
). An extension includes the Boolean critical, with a default value of FALSE. The text for each extension specifies the acceptable values for the critical field for CAs conforming to this profile.
Conforming CAs MUST support Certificate Extensions:
- key identifiers -
- basic constraints (Section 4.2.1.9)
- KeyUsage (Section 4.2.1.3)
- Certificate Policies (Section 4.2.1.4))
If the CA issues certificates with an empty sequence for the Certificate Subject field, the Certificate Authority MUST support the Subject Alternative Name extension (Section 4.2.1.6).
Support for the remaining extensions is OPTIONAL. Conforming CAs MAY support extensions that are not identified within this specification; certificate issuers are cautioned that marking such extensions as critical may inhibit interoperability.
At a minimum, applications conforming to this profile MUST recognize the following extensions:
- KeyUsage (Section 4.2.1.3)
- Certificate Policies (Section 4.2.1.4)
- Subject Alternative Name (Section 4.2.1.)
- basicConstraints (Section 4.2.1.9)
- nameConstraints (Section 4.2.1.10)
- policyConstraints (Section 4.2.1.11)
- extendedKeyUsage (Section 4.2.1.12)
- inhibitAnyPolicy (Section 4.2.1.14).
In addition, applications conforming to this profile SHOULD recognize the authority and Subject Key IDentifier (Sections 4.2.1.1 and 4.2.1.2) and policy mappings (Section 4.2.1.5|https://tools.ietf.org/html/rfc5280#section-4.2.1.5]) extensions.
More Information#
There might be more information for this subject on one of the following:- AnyPolicy
- Authenticode
- AuthorityKeyIdentifier
- BasicConstraints
- Certificate
- Certificate Policies
- Certificate Version
- CodeSigning
- Example Certificate
- ExtendedKeyUsage
- InhibitAnyPolicy
- KeyUsage
- MsCodeCom
- MsCodeInd
- NameConstraints
- PKCS 6
- PolicyConstraints
- Subject Alternative Name
- SubjectKeyIdentifier
- TBSCertificate
- TrustAnchorInfo
- [#1] - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile - based on information obtained 2015-05-24
- [#2] - 4.1.1.9 Extensions - based on information obtained 2018-07-19
- [#3] - 4.1.2 Certificate Extensions - based on information obtained 2018-07-19