<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
The [{$pagename}] field is intended to facilitate orderly changes in [Certificate] formats over time. 

!! [RFC 5280] [X.509v3]
This field describes the [version] of the encoded [certificate] and uses Zero-Based Indexing.

When [extensions|Certificate Extensions] are used, as expected in this profile, [version] [MUST] be 3 (value is 2).  If no extensions are present, but a UniqueIdentifier is present, the [version] [SHOULD] be 2 (value is 1); however, the version [MAY] be 3.  

If only basic fields are present, the version [SHOULD] be 1 (the value is omitted from the certificate as the default value); however, the version [MAY] be 2 or 3.

Implementations [SHOULD] be prepared to accept any version certificate. At a minimum, conforming implementations [MUST] recognize [version] [3|X.509v3] certificates.

Generation of version 2 [certificates] is not expected by implementations based on this profile.


!! [X.509 Style Guide]
Version ::= INTEGER { v1(0), v2(1), v3(2) }

This field is used mainly for marketing purposes to claim that software is [X.509v3] compliant (even when it isn't).  The default version is v1(0), if the [issuerUniqueID] or [subjectUniqueID] are present than the version must be v2(1) or
v3(2).  If extensions are present then the version must be v3(2).  An implementation should target [v3|X.509v3] certificates, which is what everyone is moving towards.

Note that the version numbers are one less than the actual X.509 version because in the [ASN.1] world you start counting from 0, not 1 (although it's not necessary to use sequences of integers for version numbers.  X.420, for
example, is under the impression that 2 is followed by 22 rather than the more generally accepted 3).

If your software generates v1 certificates, it's a good idea to actually mark them as such and not just mark everything as v3 whether it is or not. Although no standard actually forbids marking a v1 certificate as v3, backwards-
compatibility (as well as truth-in-advertising) considerations would indicate that a v1 certificate should be marked as such.

!! [CCITT]/[ISO]
The initial [{$pagename}] number for certificates used in [PEM] is the [X.509] default which has a value of zero (0), indicating the 1988 version. [PEM] implementations are encouraged to accept later versions as they are endorsed by [CCITT]/[ISO].

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [4.1.2.1 Version|https://tools.ietf.org/html/rfc5280#section-4.1.2.1|target='_blank'] - based on information obtained 2018-07-19 






























</pre>