Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs
Important
B.1. Defaults Reference
B.1.1. Authority Info Access Extension Default
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
Method_n |
Specifies the access method for retrieving additional information about the CA that has issued the certificate in which the extension appears. This is one of the following values:
|
LocationType_n | Specifies the general name type for the location that contains additional information about the CA that has issued the certificate. This is one of the following types:
|
Location_n |
Specifies the address or location to get additional information about the CA that has issued the certificate.
|
Enable_n | Specifies whether this location is enabled. Select true to mark this as set; select false to disable it. |
B.1.2. Authority Key Identifier Extension Default
- No Constraints; see Section B.2.8, “No Constraint”.
B.1.3. Authentication Token Subject Name Default
- No Constraints; see Section B.2.8, “No Constraint”.
B.1.4. Basic Constraints Extension Default
- Basic Constraints Extension Constraint; see Section B.2.1, “Basic Constraints Extension Constraint”.
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
IsCA | Specifies whether the certificate subject is a CA. With true , the server checks the PathLen parameter and sets the specified path length in the certificate. With false , the server treats the certificate subject as a non-CA and ignores the value specified for the PathLen parameter. |
PathLen |
Specifies the path length, the maximum number of CA certificates that may be chained below (subordinate to) the subordinate CA certificate being issued. The path length affects the number of CA certificates to be used during certificate validation. The chain starts with the end-entity certificate being validated and moves up.
The
maxPathLen parameter has no effect if the extension is set in end-entity certificates.
The permissible values are
0 or n. The value should be less than the path length specified in the Basic Constraints extension of the CA signing certificate. 0 specifies that no subordinate CA certificates are allowed below the subordinate CA certificate; only an end-entity certificate may follow in the path. n must be an integer greater than zero. It specifies the maximum number of subordinate CA certificates allowed below the subordinate CA certificate.
If the field is blank, the path length defaults to a value that is determined by the path length set in the Basic Constraints extension in the issuer's certificate. If the issuer's path length is unlimited, the path length in the subordinate CA certificate will also be unlimited. If the issuer's path length is an integer greater than zero, the path length in the subordinate CA certificate will be set to a value that is one less than the issuer's path length; for example, if the issuer's path length is 4, the path length in the subordinate CA certificate will be set to 3.
|
B.1.5. CA Validity Default
- Validity Constraint; see Section B.2.14, “Validity Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
bypassCAnotafterrange | Sets the default value for whether a requesting CA can request a certificate whose validity period extends past the issuing CA's validity period. |
range | Specifies the absolute validity period for this certificate, in the number of days. |
startTime | Sets when the validity period begins, based on the current time. |
B.1.6. Certificate Policies Extension Default
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
numCertPolicies | Specifies the number of policies that can be defined. The default is 5 . |
enable | Select true to enable the policy; select false to disable the policy. |
policyId | Specifies the OID identifier for the policy. |
cpsURI.enable | The extension can include a URI to the issuer's Certificate Practice Statement. Select true to enable URI; select false to disable URI. |
CPSURI.value | This value is a pointer to a Certification Practice Statement (CPS) published by the CA. The pointer is in the form of a URI. |
usernotice.enable | The extension can include a URI to the issuer's Certificate Practice Statement or can embed issuer information, such as a user notice in text form. Select true to enable user notices; select false to disable the user notices. |
usernotice.noticeReference.noticeNumbers | This optional user notice parameter is a sequence of numbers that points to messages stored elsewhere. |
usernotice.noticeReference.organization | This optional user notice parameter specifies the name of the company. |
usernotice.explicitText.value | This optional user notice parameter contains the message within the certificate. |
B.1.7. CRL Distribution Points Extension Default
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
Type_n | Specifies the type of CRL distribution point. The permissible values are DirectoryName , URIName , or RelativeToIssuer . The type must correspond to the value in the Name field. |
Name_n |
Specifies the name of the CRL distribution point, the name can be in any of the following formats:
|
Reasons_n |
Specifies revocation reasons covered by the CRL maintained at the distribution point. Provide a comma-separated list of the following constants:
|
IssuerType_n |
Specifies the naming type of the issuer that has signed the CRL maintained at the distribution point. The issuer name can be in any of the following formats:
|
IssuerName_n |
Specifies the name format of the CRL issuer that signed the CRL. The permissible values are as follows:
The value for this parameter must correspond to the value in the
issuerName field.
|
B.1.8. Extended Key Usage Extension Default
Usage | OID |
---|---|
Server authentication | 1.3.6.1.5.5.7.3.1 |
Client authentication | 1.3.6.1.5.5.7.3.2 |
Code signing | 1.3.6.1.5.5.7.3.3 |
1.3.6.1.5.5.7.3.4 | |
IPsec end system | 1.3.6.1.5.5.7.3.5 |
IPsec tunnel | 1.3.6.1.5.5.7.3.6 |
IPsec user | 1.3.6.1.5.5.7.3.7 |
Timestamping | 1.3.6.1.5.5.7.3.8 |
- Extended Key Usage Constraint; see Section B.2.3, “Extended Key Usage Extension Constraint”.
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
OIDs | Specifies the OID that identifies a key-usage purpose. The permissible values are a unique, valid OID specified in the dot-separated numeric component notation. For example, 2.16.840.1.113730.1.99. Depending on the key-usage purposes, the OIDs can be designated by PKIX (listed in Table B.6, “PKIX Usage Definitions for the Extended Key Usage Extension”) or custom OIDs. Custom OIDs must be in the registered subtree of IDs reserved for the company's use. Although it is possible to use custom OIDs for evaluating and testing the Certificate System, in a production environment, comply with the ISO rules for defining OIDs and for registering subtrees of IDs. |
B.1.9. Freshest CRL Extension Default
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
PointEnable_n | Select true to enable this point; select false to disable this point. |
PointType_n | Specifies the type of issuing point, either DirectoryName or URIName . |
PointName_n |
|
PointIssuerName_n |
Specifies the name of the issuer that has signed the CRL. The name can be in any of the following formats:
The name value must comply with the format specified in
PointType_ .
|
PointType_n | Specifies the general name type of the CRL issuer that signed the CRL. The permissible values are as follows:
PointIssuerName field. |
B.1.10. Generic Extension Default
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
genericExtOID | Specifies the extensions OID identifier. |
genericExtData | The binary data contained within the extension. |
B.1.11. Inhibit Any-Policy Extension Default
Parameter | Description |
---|---|
Critical | This policy must be marked as critical. Select true to mark this extension critical; select false to mark the extension noncritical. |
SkipCerts | This parameter indicate the number of additional certificates that may appear in the path before any-policy is no longer allowed. A value of 1 indicates that any-policy may be processed in certificates issued by the subject of this certificate, but not in additional certificates in the path. |
B.1.12. Issuer Alternative Name Extension Default
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
issuerAltExtType | This sets the type of name extension to be used, which can be one of the following:
|
issuerAltExtPattern |
Specifies the request attribute value to include in the extension. The attribute value must conform to any of the supported general name types. The permissible value is a request attribute included in the certificate request.
If the server finds the attribute in the request, it sets the attribute value in the extension and adds the extension to certificates. If multiple attributes are specified and none of the attributes are present in the request, the server does not add the Issuer Alternative Name extension to certificates. If no suitable attributes can be used from the request to form the issuerAlternativeName, then literal string can be used without any token expression. For example, Certificate Authority.
|
B.1.13. Key Usage Extension Default
- Key Usage Constraint; see Section B.2.6, “Key Usage Extension Constraint”.
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
digitalSignature | Specifies whether to allow signing SSL client certificates and S/MIME signing certificates. Select true to set. |
nonRepudiation | Specifies whether to use for S/MIME signing certificates. Select true to set.
Warning
Using this bit is controversial. Carefully consider the legal consequences of its use before setting it for any certificate.
|
keyEncipherment | Specifies whether the public key in the subject is used to encipher private or secret keys. This is set for SSL server certificates and S/MIME encryption certificates. Select true to set. |
dataEncipherment | Specifies whether to set the extension when the subject's public key is used to encipher user data as opposed to key material. Select true to set. |
keyAgreement | Specifies whether to set the extension whenever the subject's public key is used for key agreement. Select true to set. |
keyCertsign | Specifies whether the public key is used to verify the signature of other certificates. This setting is used for CA certificates. Select true to set the option. |
cRLSign | Specifies whether to set the extension for CA signing certificates that sign CRLs. Select true to set. |
encipherOnly | Specifies whether to set the extension if the public key is only for encrypting data while performing key agreement. If this bit is set, keyAgreement should also be set. Select true to set. |
decipherOnly | Specifies whether to set the extension if the public key is only for decrypting data while performing key agreement. If this bit is set, keyAgreement should also be set. Select true to set. |
B.1.14. Name Constraints Extension Default
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
PermittedSubtreesn.min |
Specifies the minimum number of permitted subtrees.
|
PermittedSubtreesmax_n |
Specifies the maximum number of permitted subtrees.
|
PermittedSubtreeNameChoice_n | Specifies the general name type for the permitted subtree to include in the extension. The permissible values are as follows:
|
PermittedSubtreeNameValue_n |
Specifies the general name value for the permitted subtree to include in the extension.
|
PermittedSubtreeEnable_n | Select true to enable this permitted subtree entry. |
ExcludedSubtreesn.min |
Specifies the minimum number of excluded subtrees.
|
ExcludedSubtreeMax_n |
Specifies the maximum number of excluded subtrees.
|
ExcludedSubtreeNameChoice_n | Specifies the general name type for the excluded subtree to include in the extension. The permissible values are as follows:
|
ExcludedSubtreeNameValue_n |
Specifies the general name value for the permitted subtree to include in the extension.
|
ExcludedSubtreeEnable_n | Select true to enable this excluded subtree entry. |
B.1.15. Netscape Certificate Type Extension Default
Warning
B.1.16. Netscape Comment Extension Default
Warning
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
CommentContent | Specifies the content of the comment to appear in the certificate. |
B.1.17. No Default Extension
B.1.18. OCSP No Check Extension Default
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
B.1.19. Policy Constraints Extension Default
ReqExplicitPolicy
and InhibitPolicyMapping
. PKIX standard requires that, if present in the certificate, the extension must never consist of a null sequence. At least one of the two specified fields must be present.
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
reqExplicitPolicy |
Specifies the total number of certificates permitted in the path before an explicit policy is required. This is the number of CA certificates that can be chained below the subordinate CA certificate before an acceptable policy is required.
This number affects the number of CA certificates to be used during certificate validation. The chain starts with the end-entity certificate being validated and moving up the chain. The parameter has no effect if the extension is set in end-entity certificates.
|
inhibitPolicyMapping |
Specifies the total number of certificates permitted in the path before policy mapping is no longer permitted.
|
B.1.20. Policy Mappers Extension Default
issuerDomainPolicy
and subjectDomainPolicy
. The pairing indicates that the issuing CA considers the issuerDomainPolicy
equivalent to the subjectDomainPolicy
of the subject CA. The issuing CA's users may accept an issuerDomainPolicy
for certain applications. The policy mapping tells these users which policies associated with the subject CA are equivalent to the policy they accept.
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
IssuerDomainPolicy_n | Specifies the OID assigned to the policy statement of the issuing CA to map with the policy statement of another CA. For example, 1.2.3.4.5. |
SubjectDomainPolicy_n | Specifies the OID assigned to the policy statement of the subject CA that corresponds to the policy statement of the issuing CA. For example, 6.7.8.9.10. |
B.1.21. Private Key Usage Period Extension Default
Parameter | Description |
---|---|
Critical | This extension should always be non-critical. |
puStartTime | This parameters sets the start time. The default value is 0 , which starts the validity period from the time the extension is activated. |
puDurationDays | This parameters sets the duration of the usage period. The default value is 365 , which sets the validity period to 365 days from the time the extension is activated. |
B.1.22. Signing Algorithm Default
- Signing Algorithm Constraint; see Section B.2.10, “Signing Algorithm Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
signingAlg | Specify the default signing algorithm to be used to create this certificate. An agent can override this value by specifying one of the values contained in the signingAlgsAllowed parameter. |
signingAlgsAllowed | Specify the signing algorithms that can be used for signing this certificate. The algorithms can be any or all of the following:
|
B.1.23. Subject Alternative Name Extension Default
ldapStringAttributes
and ldapByteAttributes
fields defined in the automated enrollment modules.
$request.
X$
token.
subjAltExtSource
parameter.
Example B.1. Default Subject Alternative Name Extension Configuration
policyset.serverCertSet.9.constraint.name=No Constraint policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl policyset.serverCertSet.9.default.name=Subject Alternative Name Extension Default policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.requestor_email$ policyset.serverCertSet.9.default.params.subjAltExtType_0=RFC822Name policyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=true policyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.SAN1$ policyset.serverCertSet.9.default.params.subjAltExtType_1=DNSName policyset.serverCertSet.9.default.params.subjAltExtGNEnable_2=true policyset.serverCertSet.9.default.params.subjAltExtPattern_2=http://www.server.example.com policyset.serverCertSet.9.default.params.subjAltExtType_2=URIName policyset.serverCertSet.9.default.params.subjAltExtType_3=OtherName policyset.serverCertSet.9.default.params.subjAltExtPattern_3=(IA5String)1.2.3.4,$server.source$ policyset.serverCertSet.9.default.params.subjAltExtSource_3=UUID4 policyset.serverCertSet.9.default.params.subjAltExtGNEnable_3=true policyset.serverCertSet.9.default.params.subjAltExtType_4=RFC822Name policyset.serverCertSet.9.default.params.subjAltExtGNEnable_4=false policyset.serverCertSet.9.default.params.subjAltExtPattern_4= policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false policyset.serverCertSet.9.default.params.subjAltNameNumGNs=5
Policy Set Token | Description |
---|---|
$request.auth_token.cn$ | The LDAP common name (cn ) attribute of the user who requested the certificate. |
$request.auth_token.mail$ | The value of the LDAP email (mail ) attribute of the user who requested the certificate. |
$request.auth_token.tokenCertSubject$ | The certificate subject name. |
$request.auth_token.uid$ | The LDAP user ID (uid ) attribute of the user who requested the certificate. |
$request.auth_token.user$ | |
$request.auth_token.userDN$ | The user DN of the user who requested the certificate. |
$request.auth_token.userid$ | The value of the user ID attribute for the user who requested the certificate. |
$request.uid$ | The value of the user ID attribute for the user who requested the certificate. |
$request.profileRemoteAddr$ | The IP address of the user making the request. This can be an IPv4 or an IPv6 address, depending on the client. An IPv4 address must be in the format n.n.n.n or n.n.n.n,m.m.m.m. For example, 128.21.39.40 or 128.21.39.40,255.255.255.00. An IPv6 address uses a 128-bit namespace, with the IPv6 address separated by colons and the netmask separated by periods. For example, 0:0:0:0:0:0:13.1.68.3, FF01::43, 0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:255.255.255.0, and FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000. |
$request.profileRemoteHost$ | The hostname or IP address of the user's machine. The hostname can be the fully-qualified domain name and the protocol, such as http://server.example.com . An IPv4 address must be in the format n.n.n.n or n.n.n.n,m.m.m.m. For example, 128.21.39.40 or 128.21.39.40,255.255.255.00. An IPv6 address uses a 128-bit namespace, with the IPv6 address separated by colons and the netmask separated by periods. For example, 0:0:0:0:0:0:13.1.68.3, FF01::43, 0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:255.255.255.0, and FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000. |
$request.requestor_email$ | The email address of the person who submitted the request. |
$request.requestowner$ | The person who submitted the request. |
$request.subject$ | The subject name DN of the entity to which the certificate is issued. For example, uid=jsmith, e=jsmith@example.com. |
$request.tokencuid$ | The card unique ID (CUID) of the smart card token used for requesting the enrollment. |
$request.upn$ | The Microsoft UPN. This has the format (UTF8String)1.3.6.1.4.1.311.20.2.3,$request.upn$. |
$server.source$ | Instructs the server to generate a version 4 UUID (random number) component in the subject name. This always has the format (IA5String)1.2.3.4,$server.source$. |
subjAltNameNumGNs
parameter controls how many of the listed attributes are required to be added to the certificate. This parameter must be added to custom profiles and may need to be modified in default profiles to include as many attributes as required. In Example B.1, “Default Subject Alternative Name Extension Configuration”, the subjAltNameNumGNs
is set to 5
to insert the RFC822Name
, DNSName
, URIName
, OtherName
, and RFC822Name
names (generic names _0
, _1
, _2
, _3
, and _4
).
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
Pattern | Specifies the request attribute value to include in the extension. The attribute value must conform to any of the supported general name types. If the server finds the attribute in the request, it sets the attribute value in the extension and adds the extension to certificates. If multiple attributes are specified and none of the attributes are present in the request, the server does not add the Subject Alternative Name extension to certificates. The permissible value is a request attribute included in the certificate request. For example, $request.requestor_email$. |
Type |
Specifies the general name type for the request attribute.
|
Source | Specifies an identification source or protocol to use to generate an ID. The only supported source is UUID4, which generates a random number to create the UUID. |
Number of Components (NumGNs) | Specifies the number of name components that must be included in the subject alternative name. |
B.1.24. Subject Directory Attributes Extension Default
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
Name | The attribute name; this can be any LDAP directory attribute, such as cn or mail . |
Pattern | Specifies the request attribute value to include in the extension. The attribute value must conform to the allowed values of the attribute. If the server finds the attribute, it sets the attribute value in the extension and adds the extension to certificates. If multiple attributes are specified and none of the attributes are present in the request, the server does not add the Subject Directory Attributes extension to certificates. For example, $request.requestor_email$. |
Enable | Sets whether that attribute is able to be added to the certificate. Select true to enable the attribute. |
B.1.25. Subject Info Access Extension Default
Parameter | Description |
---|---|
Critical | This extension is supposed to be non-critical. |
subjInfoAccessNumADs | The number of information access sections included with the certificate. |
subjInfoAccessADMethod_n | OID of the access method. |
subjInfoAccessADMethod_n | Type of access method.
|
subjInfoAccessADLocation_n |
Location based on the type subjInfoAccessADMethod_n
i.e., a URL for URI Name.
|
subjInfoAccessADEnable_n | Select true to enable this extension; select false to disable this extension. |
B.1.26. Subject Key Identifier Extension Default
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
B.1.27. Subject Name Default
- Subject Name Constraint; see Section B.2.11, “Subject Name Constraint”.
- Unique Subject Name Constraint; see Section B.2.13, “Unique Subject Name Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Name | Specify the subject name for this certificate. |
Name
parameter with the "Subject Name" from the AuthToken as shown below.
policyset.userCertSet.1.default.class_id=subjectNameDefaultImpl policyset.userCertSet.1.default.name=Subject Name Default policyset.userCertSet.1.default.params.name=$request.auth_token.tokenCertSubject$
B.1.28. User Key Default
- Key Constraint; see Section B.2.5, “Key Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
B.1.29. User Signing Algorithm Default
- Signing Algorithm Constraint; see Section B.2.10, “Signing Algorithm Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
B.1.30. User Subject Name Default
- Subject Name Constraint; see Section B.2.11, “Subject Name Constraint”.
- Unique Subject Name Constraint; see Section B.2.13, “Unique Subject Name Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
B.1.31. User Validity Default
- Validity Constraint; see Section B.2.14, “Validity Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
B.1.32. User Supplied Extension Default
Warning
Note
userExtensionDefaultImpl
default, as shown in the example. The given OID is for the Basic Constraints Extension Constraint.
policyset.set1.p6.default.class_id=userExtensionDefaultImpl policyset.set1.p6.default.name=User Supplied Extension Default policyset.set1.p6.default.params.userExtOID=2.5.29.19
- If the OID of the extension is specified in both the certificate request and the default, then the extension is validated by the constraints and applied to the certificate.
- If an OID of an extension is given in the request but is not specified in the User Supplied Extension Default in the profile, then the user-specified extension is ignored, and the certificate is successfully enrolled without that extension.
- If this extension is set on a profile with a corresponding OID (Extension Constraint), then any certificate request processed through that profile must carry the specified extension or the request is rejected.
userExtOID
parameter is for the Extended Key Usage Extension.
Example B.2. User Supplied Extension Default for the Extended Key Usage Extension
policyset.set1.2.constraint.class_id=extendedKeyUsageExtConstraintImpl policyset.set1.2.constraint.name=Extended Key Usage Extension policyset.set1.2.constraint.params.exKeyUsageCritical=false policyset.set1.2.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 policyset.set1.2.default.class_id=userExtensionDefaultImpl policyset.set1.2.default.name=User Supplied Extension Default policyset.set1.2.default.params.userExtOID=2.5.29.37
Example B.3. Multiple User Supplied Extensions in CSR
- For Extended Key Usage Extension:
policyset.serverCertSet.2.constraint.class_id=extendedKeyUsageExtConstraintImpl policyset.serverCertSet.2.constraint.name=Extended Key Usage Extension policyset.serverCertSet.2.constraint.params.exKeyUsageCritical=false policyset.serverCertSet.2.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 policyset.serverCertSet.2.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.2.default.name=User Supplied Extension Default policyset.serverCertSet.2.default.params.userExtOID=2.5.29.37
- For Key Usage Extension:By using the following format, you can apply a policy which parameter of the extension:
- Must exist in the CSR:
value = "true"
- Must not exist in the CSR:
value = "false"
- Is optional:
value = "-"
For example:policyset.serverCertSet.13.constraint.class_id=keyUsageExtConstraintImpl policyset.serverCertSet.13.constraint.name=Key Usage Extension Constraint policyset.serverCertSet.13.constraint.params.keyUsageCritical=- policyset.serverCertSet.13.constraint.params.keyUsageCrlSign=false policyset.serverCertSet.13.constraint.params.keyUsageDataEncipherment=- policyset.serverCertSet.13.constraint.params.keyUsageDecipherOnly=- policyset.serverCertSet.13.constraint.params.keyUsageDigitalSignature=- policyset.serverCertSet.13.constraint.params.keyUsageEncipherOnly=- policyset.serverCertSet.13.constraint.params.keyUsageKeyAgreement=true policyset.serverCertSet.13.constraint.params.keyUsageKeyCertSign=- policyset.serverCertSet.13.constraint.params.keyUsageKeyEncipherment=- policyset.serverCertSet.13.constraint.params.keyUsageNonRepudiation=- policyset.serverCertSet.13.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.13.default.name=User Supplied Key Usage Extension policyset.serverCertSet.13.default.params.userExtOID=2.5.29.15
Note
certutil
to Create a CSR With User-defined Extensions”.
B.1.33. Validity Default
- Validity Constraint; see Section B.2.14, “Validity Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
range | Specifies the validity period for this certificate. |
startTime | Sets when the validity period begins, based on the current time. |