Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs
This appendix explains both the standard certificate extensions defined by X.509 v3 and the extensions defined by Netscape that were used in versions of products released before X.509 v3 was finalized. It provides recommendations for extensions to use with specific kinds of certificates, including PKIX Part 1 recommendations.
Important
This appendix is a reference for defaults, constraints, and certificate and CRL extensions that are used or are configurable in Red Hat Certificate System. For a complete reference and explanation of certificate and CRL extensions, see RFC 5280.
This appendix contains the following sections:
B.1. Defaults Reference
Defaults are used to define the contents of a certificate. This section lists and defines the predefined defaults.
B.1.1. Authority Info Access Extension Default
This default attaches the Authority Info Access extension. This extension specifies how an application validating a certificate can access information, such as online validation services and CA policy data, about the CA that has issued the certificate. This extension should not be used to point directly to the CRL location maintained by a CA; the CRL Distribution Points extension, Section B.1.8, “CRL Distribution Points Extension Default”, provides references to CRL locations.
For general information about this extension, see Section B.3.1, “authorityInfoAccess”.
The following constraints can be defined with this default:
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
This default can define up to five locations, with parameters for each location. The parameters are marked with an n in the table to show with which location the parameter is associated.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
Method_n |
Specifies the access method for retrieving additional information about the CA that has issued the certificate in which the extension appears. This is one of the following values:
|
LocationType_n | Specifies the general name type for the location that contains additional information about the CA that has issued the certificate. This is one of the following types:
|
Location_n |
Specifies the address or location to get additional information about the CA that has issued the certificate.
|
Enable_n | Specifies whether this location is enabled. Select true to mark this as set; select false to disable it. |
B.1.2. Authority Key Identifier Extension Default
This default attaches the Authority Key Identifier extension to the certificate. The extension identifies the public key that corresponds to the private key used by a CA to sign certificates. This default has no parameters. If used, this extension is included in the certificate with the public key information.
This default takes the following constraint:
- No Constraints; see Section B.2.8, “No Constraint”.
For general information about this extension, see Section B.3.2, “authorityKeyIdentifier”.
B.1.3. Authentication Token Subject Name Default
This profile default populates subject names based on the attribute values in the authentication token (AuthToken) object.
This default plug-in works with the directory-based authentication manager, SharedToken.
In addition, the directory-based authentication manager formulates the subject name of the issuing certificate. It forms the subject name by using the user's DN value from AuthToken.
This default is responsible for reading the subject name from the AuthToken and placing it in the certificate request so that the final certificate contains the subject name.
The following constraints can be defined with this default:
- No Constraints; see Section B.2.8, “No Constraint”.
B.1.4. CMC User-signed Subject Name Default
This profile default populates subject names based on the CMC request signer's
subjectDN
. The following constraint must be used with this default:
CMCUserSignedSubjectNameConstraint
: See Section B.2.14, “CMC User-signed Subject Name Constraint”.
B.1.5. Basic Constraints Extension Default
This default attaches the Basic Constraint extension to the certificate. The extension identifies whether the Certificate Manager is a CA. The extension is also used during the certificate chain verification process to identify CA certificates and to apply certificate chain-path length constraints.
For general information about this extension, see Section B.3.3, “basicConstraints”.
The following constraints can be defined with this default:
- Basic Constraints Extension Constraint; see Section B.2.1, “Basic Constraints Extension Constraint”.
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
IsCA | Specifies whether the certificate subject is a CA. With true , the server checks the PathLen parameter and sets the specified path length in the certificate. With false , the server treats the certificate subject as a non-CA and ignores the value specified for the PathLen parameter. |
PathLen |
Specifies the path length, the maximum number of CA certificates that may be chained below (subordinate to) the subordinate CA certificate being issued. The path length affects the number of CA certificates to be used during certificate validation. The chain starts with the end-entity certificate being validated and moves up.
The
maxPathLen parameter has no effect if the extension is set in end-entity certificates.
The permissible values are
0 or n. The value should be less than the path length specified in the Basic Constraints extension of the CA signing certificate. 0 specifies that no subordinate CA certificates are allowed below the subordinate CA certificate; only an end-entity certificate may follow in the path. n must be an integer greater than zero. It specifies the maximum number of subordinate CA certificates allowed below the subordinate CA certificate.
If the field is blank, the path length defaults to a value that is determined by the path length set in the Basic Constraints extension in the issuer's certificate. If the issuer's path length is unlimited, the path length in the subordinate CA certificate will also be unlimited. If the issuer's path length is an integer greater than zero, the path length in the subordinate CA certificate will be set to a value that is one less than the issuer's path length; for example, if the issuer's path length is 4, the path length in the subordinate CA certificate will be set to 3.
|
B.1.6. CA Validity Default
This default adds an option to a CA certificate enrollment or renewal profile to bypass the CA's signing certificate's expiration constraint. This means that the issued CA certificate can have an expiration date that is later than the issuing CA signing certificate expiration date.
The following constraints can be defined with this default:
- Validity Constraint; see Section B.2.15, “Validity Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
bypassCAnotafterrange | Sets the default value for whether a requesting CA can request a certificate whose validity period extends past the issuing CA's validity period. |
range | Specifies the absolute validity period for this certificate, in the number of days. |
startTime | Sets when the validity period begins, based on the current time. |
B.1.7. Certificate Policies Extension Default
This default attaches the Certificate Policy Mappings extension into the certificate template. This extension defines one or more policies, indicating the policy under which the certificate has been issued and the purposes for which the certificate may be used. This default defines up to five policies, but this can be value can be changed.
For general information about this extension, see Section B.3.4, “certificatePoliciesExt”
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
numCertPolicies | Specifies the number of policies that can be defined. The default is 5 . |
enable | Select true to enable the policy; select false to disable the policy. |
policyId | Specifies the OID identifier for the policy. |
cpsURI.enable | The extension can include a URI to the issuer's Certificate Practice Statement. Select true to enable URI; select false to disable URI. |
CPSURI.value | This value is a pointer to a Certification Practice Statement (CPS) published by the CA. The pointer is in the form of a URI. |
usernotice.enable | The extension can include a URI to the issuer's Certificate Practice Statement or can embed issuer information, such as a user notice in text form. Select true to enable user notices; select false to disable the user notices. |
usernotice.noticeReference.noticeNumbers | This optional user notice parameter is a sequence of numbers that points to messages stored elsewhere. |
usernotice.noticeReference.organization | This optional user notice parameter specifies the name of the company. |
usernotice.explicitText.value | This optional user notice parameter contains the message within the certificate. |
B.1.8. CRL Distribution Points Extension Default
This default attaches the CRL Distribution Points extension to the certificate. This extension identifies locations from which an application that is validating the certificate can obtain the CRL information to verify the revocation status of the certificate.
For general information about this extension, see Section B.3.5, “CRLDistributionPoints”.
The following constraints can be defined with this default:
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
This default defines up to five locations, with parameters for each location. The parameters are marked with an n in the table to show with which location the parameter is associated.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
Type_n | Specifies the type of CRL distribution point. The permissible values are DirectoryName , URIName , or RelativeToIssuer . The type must correspond to the value in the Name field. |
Name_n |
Specifies the name of the CRL distribution point, the name can be in any of the following formats:
|
Reasons_n |
Specifies revocation reasons covered by the CRL maintained at the distribution point. Provide a comma-separated list of the following constants:
|
IssuerType_n |
Specifies the naming type of the issuer that has signed the CRL maintained at the distribution point. The issuer name can be in any of the following formats:
|
IssuerName_n |
Specifies the name format of the CRL issuer that signed the CRL. The permissible values are as follows:
The value for this parameter must correspond to the value in the
issuerName field.
|
B.1.9. Extended Key Usage Extension Default
This default attaches the Extended Key Usage extension to the certificate.
For general information about this extension, see Section B.3.6, “extKeyUsage”.
The extension identifies the purposes, in addition to the basic purposes indicated in the Key Usage extension, for which the certified public key may be used. For example, if the key usage extension identifies a signing key, the Extended Key Usage extension can narrow the usage of the key for only signing OCSP responses or only Java™ applets.
Usage | OID |
---|---|
Server authentication | 1.3.6.1.5.5.7.3.1 |
Client authentication | 1.3.6.1.5.5.7.3.2 |
Code signing | 1.3.6.1.5.5.7.3.3 |
1.3.6.1.5.5.7.3.4 | |
IPsec end system | 1.3.6.1.5.5.7.3.5 |
IPsec tunnel | 1.3.6.1.5.5.7.3.6 |
IPsec user | 1.3.6.1.5.5.7.3.7 |
Timestamping | 1.3.6.1.5.5.7.3.8 |
Windows 2000 can encrypt files on the hard disk, a feature known as encrypted file system (EFS), using certificates that contain the Extended Key Usage extension with the following two OIDs:
1.3.6.1.4.1.311.10.3.4 (EFS certificate)
1.3.6.1.4.1.311.10.3.4.1 (EFS recovery certificate)
The EFS recovery certificate is used by a recovery agent when a user loses the private key and the data encrypted with that key needs to be used. Certificate System supports these two OIDs and allows certificates to be issued containing the Extended Key Usage extension with these OIDs.
Normal user certificates should be created with only the EFS OID, not the recovery OID.
The following constraints can be defined with this default:
- Extended Key Usage Constraint; see Section B.2.3, “Extended Key Usage Extension Constraint”.
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
OIDs | Specifies the OID that identifies a key-usage purpose. The permissible values are a unique, valid OID specified in the dot-separated numeric component notation. For example, 2.16.840.1.113730.1.99. Depending on the key-usage purposes, the OIDs can be designated by PKIX (listed in Table B.6, “PKIX Usage Definitions for the Extended Key Usage Extension”) or custom OIDs. Custom OIDs must be in the registered subtree of IDs reserved for the company's use. Although it is possible to use custom OIDs for evaluating and testing the Certificate System, in a production environment, comply with the ISO rules for defining OIDs and for registering subtrees of IDs. |
B.1.10. Freshest CRL Extension Default
The following constraints can be defined with this default:
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
This default defines five locations with parameters for each location. The parameters are marked with an n in the table to show with which location the parameter is associated.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
PointEnable_n | Select true to enable this point; select false to disable this point. |
PointType_n | Specifies the type of issuing point, either DirectoryName or URIName . |
PointName_n |
|
PointIssuerName_n |
Specifies the name of the issuer that has signed the CRL. The name can be in any of the following formats:
The name value must comply with the format specified in
PointType_ .
|
PointType_n | Specifies the general name type of the CRL issuer that signed the CRL. The permissible values are as follows:
PointIssuerName field. |
B.1.11. Generic Extension Default
This extension allows for the creation of a generic extension with user determined data. The default ensures the generic extension is populated correctly.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
genericExtOID | Specifies the extensions OID identifier. |
genericExtData | The binary data contained within the extension. |
B.1.12. Inhibit Any-Policy Extension Default
The inhibit any-policy extension can be used for certificates issued to CAs. The inhibit any-policy indicates that the special anyPolicy OID, with the value { 2 5 29 32 0 }, is not considered an explicit match for other certificate policies.
Parameter | Description |
---|---|
Critical | This policy must be marked as critical. Select true to mark this extension critical; select false to mark the extension noncritical. |
SkipCerts | This parameter indicate the number of additional certificates that may appear in the path before any-policy is no longer allowed. A value of 1 indicates that any-policy may be processed in certificates issued by the subject of this certificate, but not in additional certificates in the path. |
B.1.13. Issuer Alternative Name Extension Default
This default attaches the Issuer Alternative Name extension to the certificate. The Issuer Alternative Name extension is used to associate Internet-style identities with the certificate issuer.
The following constraints can be defined with this default:
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
This default defines five locations with parameters for each location. The parameters are marked with an n in the table to show with which location the parameter is associated.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
issuerAltExtType | This sets the type of name extension to be used, which can be one of the following:
|
issuerAltExtPattern |
Specifies the request attribute value to include in the extension. The attribute value must conform to any of the supported general name types. The permissible value is a request attribute included in the certificate request.
If the server finds the attribute in the request, it sets the attribute value in the extension and adds the extension to certificates. If multiple attributes are specified and none of the attributes are present in the request, the server does not add the Issuer Alternative Name extension to certificates. If no suitable attributes can be used from the request to form the issuerAlternativeName, then literal string can be used without any token expression. For example, Certificate Authority.
|
B.1.14. Key Usage Extension Default
This default attaches the Key Usage extension to the certificate. The extension specifies the purposes for which the key contained in a certificate should be used, such as data signing, key encryption, or data encryption, which restricts the usage of a key pair to predetermined purposes.
For general information about this extension, see Section B.3.8, “keyUsage”.
The following constraints can be defined with this default:
- Key Usage Constraint; see Section B.2.6, “Key Usage Extension Constraint”.
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
digitalSignature | Specifies whether to allow signing TLS client certificates and S/MIME signing certificates. Select true to set. |
nonRepudiation | Specifies whether to use for S/MIME signing certificates. Select true to set.
Warning
Using this bit is controversial. Carefully consider the legal consequences of its use before setting it for any certificate.
|
keyEncipherment | Specifies whether the public key in the subject is used to encipher private or secret keys. This is set for TLS server certificates and S/MIME encryption certificates. Select true to set. |
dataEncipherment | Specifies whether to set the extension when the subject's public key is used to encipher user data as opposed to key material. Select true to set. |
keyAgreement | Specifies whether to set the extension whenever the subject's public key is used for key agreement. Select true to set. |
keyCertsign | Specifies whether the public key is used to verify the signature of other certificates. This setting is used for CA certificates. Select true to set the option. |
cRLSign | Specifies whether to set the extension for CA signing certificates that sign CRLs. Select true to set. |
encipherOnly | Specifies whether to set the extension if the public key is only for encrypting data while performing key agreement. If this bit is set, keyAgreement should also be set. Select true to set. |
decipherOnly | Specifies whether to set the extension if the public key is only for decrypting data while performing key agreement. If this bit is set, keyAgreement should also be set. Select true to set. |
B.1.15. Name Constraints Extension Default
This default attaches a Name Constraints extension to the certificate. The extension is used in CA certificates to indicate a name space within which the subject names or subject alternative names in subsequent certificates in a certificate chain should be located.
For general information about this extension, see Section B.3.9, “nameConstraints”.
The following constraints can be defined with this default:
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
This default defines up to five locations for both the permitted subtree and the excluded subtree and sets parameters for each location. The parameters are marked with an n in the table to show with which location the parameter is associated.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
PermittedSubtreesn.min |
Specifies the minimum number of permitted subtrees.
|
PermittedSubtreesmax_n |
Specifies the maximum number of permitted subtrees.
|
PermittedSubtreeNameChoice_n | Specifies the general name type for the permitted subtree to include in the extension. The permissible values are as follows:
|
PermittedSubtreeNameValue_n |
Specifies the general name value for the permitted subtree to include in the extension.
|
PermittedSubtreeEnable_n | Select true to enable this permitted subtree entry. |
ExcludedSubtreesn.min |
Specifies the minimum number of excluded subtrees.
|
ExcludedSubtreeMax_n |
Specifies the maximum number of excluded subtrees.
|
ExcludedSubtreeNameChoice_n | Specifies the general name type for the excluded subtree to include in the extension. The permissible values are as follows:
|
ExcludedSubtreeNameValue_n |
Specifies the general name value for the permitted subtree to include in the extension.
|
ExcludedSubtreeEnable_n | Select true to enable this excluded subtree entry. |
B.1.16. Netscape Certificate Type Extension Default
Warning
This extension is obsolete. Use the Key Usage or Extended Key Usage certificate extensions instead.
This default attaches a Netscape Certificate Type extension to the certificate. The extension identifies the certificate type, such as CA certificate, server TLS certificate, client TLS certificate, or S/MIME certificate. This restricts the usage of a certificate to predetermined purposes.
B.1.17. Netscape Comment Extension Default
Warning
This extension is obsolete.
This default attaches a Netscape Comment extension to the certificate. The extension can be used to include textual comments in certificates. Applications that are capable of interpreting the comment display it when the certificate is used or viewed.
For general information about this extension, see Section B.4.3.2, “netscape-comment”.
The following constraints can be defined with this default:
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
CommentContent | Specifies the content of the comment to appear in the certificate. |
B.1.18. No Default Extension
This default can be used to set constraints when no defaults are being used. This default has no settings and sets no defaults but does allow all of the constraints available to be set.
B.1.19. OCSP No Check Extension Default
This default attaches an OCSP No Check extension to the certificate. The extension, which should be used in OCSP responder certificates only, indicates how OCSP-compliant applications can verify the revocation status of the certificate an authorized OCSP responder uses to sign OCSP responses.
For general information about this extension, see Section B.3.10, “OCSPNocheck”.
The following constraints can be defined with this default:
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
B.1.20. Policy Constraints Extension Default
This default attaches a Policy Constraints extension to the certificate. The extension, which can be used in CA certificates only, constrains path validation in two ways: either to prohibit policy mapping or to require that each certificate in a path contain an acceptable policy identifier. The default can specify both
ReqExplicitPolicy
and InhibitPolicyMapping
. PKIX standard requires that, if present in the certificate, the extension must never consist of a null sequence. At least one of the two specified fields must be present.
For general information about this extension, see Section B.3.11, “policyConstraints”.
The following constraints can be defined with this default:
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
reqExplicitPolicy |
Specifies the total number of certificates permitted in the path before an explicit policy is required. This is the number of CA certificates that can be chained below the subordinate CA certificate before an acceptable policy is required.
This number affects the number of CA certificates to be used during certificate validation. The chain starts with the end-entity certificate being validated and moving up the chain. The parameter has no effect if the extension is set in end-entity certificates.
|
inhibitPolicyMapping |
Specifies the total number of certificates permitted in the path before policy mapping is no longer permitted.
|
B.1.21. Policy Mappers Extension Default
This default attaches a Policy Mappings extension to the certificate. The extension lists pairs of OIDs, each pair identifying two policy statements of two CAs. The pairing indicates that the corresponding policies of one CA are equivalent to policies of another CA. The extension may be useful in the context of cross-certification. If supported, the extension is included in CA certificates only. The default maps policy statements of one CA to that of another by pairing the OIDs assigned to their policy statements
Each pair is defined by two parameters,
issuerDomainPolicy
and subjectDomainPolicy
. The pairing indicates that the issuing CA considers the issuerDomainPolicy
equivalent to the subjectDomainPolicy
of the subject CA. The issuing CA's users may accept an issuerDomainPolicy
for certain applications. The policy mapping tells these users which policies associated with the subject CA are equivalent to the policy they accept.
For general information about this extension, see Section B.3.12, “policyMappings”.
The following constraints can be defined with this default:
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
IssuerDomainPolicy_n | Specifies the OID assigned to the policy statement of the issuing CA to map with the policy statement of another CA. For example, 1.2.3.4.5. |
SubjectDomainPolicy_n | Specifies the OID assigned to the policy statement of the subject CA that corresponds to the policy statement of the issuing CA. For example, 6.7.8.9.10. |
B.1.22. Private Key Usage Period Extension Default
The Private Key Usage Period extension allows the certificate issuer to specify a different validity period for the private key than for the certificate itself. This extension is intended for use with digital signature keys.
Parameter | Description |
---|---|
Critical | This extension should always be non-critical. |
puStartTime | This parameters sets the start time. The default value is 0 , which starts the validity period from the time the extension is activated. |
puDurationDays | This parameters sets the duration of the usage period. The default value is 365 , which sets the validity period to 365 days from the time the extension is activated. |
B.1.23. Signing Algorithm Default
This default attaches a signing algorithm in the certificate request. This default presents an agent with the possible algorithms that can be used for signing the certificate.
The following constraints can be defined with this default:
- Signing Algorithm Constraint; see Section B.2.10, “Signing Algorithm Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
signingAlg | Specify the default signing algorithm to be used to create this certificate. An agent can override this value by specifying one of the values contained in the signingAlgsAllowed parameter. |
signingAlgsAllowed | Specify the signing algorithms that can be used for signing this certificate. The algorithms can be any or all of the following:
|
B.1.24. Subject Alternative Name Extension Default
This default attaches a Subject Alternative Name extension to the certificate. The extension binds additional identities, such as an email address, a DNS name, an IP address (both IPv4 and IPv6), or a URI, to the subject of the certificate. The standard requires that if the certificate subject field contains an empty sequence, then the Subject Alternative name extension must contain the subject's alternative name and that the extension be marked critical.
For any of the directory-based authentication methods, the Certificate System can retrieve values for any string and byte attributes and set them in the certificate request. These attributes are set by entering them in the
ldapStringAttributes
and ldapByteAttributes
fields defined in the automated enrollment modules.
If authenticated attributes — meaning attributes stored in an LDAP database — need to be part of this extension, use values from the
$request.
X$
token.
There is an additional attribute to insert a universally unique identifier (UUID) into the subject alt name. This option generates a random number for version 4 UUID; the pattern is defined by referencing the server which will generate the number in an additional
subjAltExtSource
parameter.
A basic Subject Alternative Name Extension default is configured in the example.
Example B.1. Default Subject Alternative Name Extension Configuration
policyset.serverCertSet.9.constraint.name=No Constraint policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl policyset.serverCertSet.9.default.name=Subject Alternative Name Extension Default policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.requester_email$ policyset.serverCertSet.9.default.params.subjAltExtType_0=RFC822Name policyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=true policyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.SAN1$ policyset.serverCertSet.9.default.params.subjAltExtType_1=DNSName policyset.serverCertSet.9.default.params.subjAltExtGNEnable_2=true policyset.serverCertSet.9.default.params.subjAltExtPattern_2=http://www.server.example.com policyset.serverCertSet.9.default.params.subjAltExtType_2=URIName policyset.serverCertSet.9.default.params.subjAltExtType_3=OtherName policyset.serverCertSet.9.default.params.subjAltExtPattern_3=(IA5String)1.2.3.4,$server.source$ policyset.serverCertSet.9.default.params.subjAltExtSource_3=UUID4 policyset.serverCertSet.9.default.params.subjAltExtGNEnable_3=true policyset.serverCertSet.9.default.params.subjAltExtType_4=RFC822Name policyset.serverCertSet.9.default.params.subjAltExtGNEnable_4=false policyset.serverCertSet.9.default.params.subjAltExtPattern_4= policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false policyset.serverCertSet.9.default.params.subjAltNameNumGNs=4
The Subject Alternative Name extension default checks the certificate request for the profile attributes. If the request contains an attribute, the profile reads its value and sets it in the extension. It is also possible for the Subject Alternative Name extension default to insert attribute values from an LDAP directory, if LDAP-based authentication is configured. The extension added to the certificates contain all the configured attributes.
The variables that can be used with the Subject Alternative Name extension default are listed in Table B.20, “Variables to Insert Values in the Subject Alternative Name”.
Policy Set Token | Description |
---|---|
$request.auth_token.cn$ | The LDAP common name (cn ) attribute of the user who requested the certificate. |
$request.auth_token.mail$ | The value of the LDAP email (mail ) attribute of the user who requested the certificate. |
$request.auth_token.tokenCertSubject$ | The certificate subject name. |
$request.auth_token.uid$ | The LDAP user ID (uid ) attribute of the user who requested the certificate. |
$request.auth_token.user$ | |
$request.auth_token.userDN$ | The user DN of the user who requested the certificate. |
$request.auth_token.userid$ | The value of the user ID attribute for the user who requested the certificate. |
$request.uid$ | The value of the user ID attribute for the user who requested the certificate. |
$request.profileRemoteAddr$ | The IP address of the user making the request. This can be an IPv4 or an IPv6 address, depending on the client. An IPv4 address must be in the format n.n.n.n or n.n.n.n,m.m.m.m. For example, 128.21.39.40 or 128.21.39.40,255.255.255.00. An IPv6 address uses a 128-bit namespace, with the IPv6 address separated by colons and the netmask separated by periods. For example, 0:0:0:0:0:0:13.1.68.3, FF01::43, 0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:255.255.255.0, and FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000. |
$request.profileRemoteHost$ | The hostname or IP address of the user's machine. The hostname can be the fully-qualified domain name and the protocol, such as http://server.example.com . An IPv4 address must be in the format n.n.n.n or n.n.n.n,m.m.m.m. For example, 128.21.39.40 or 128.21.39.40,255.255.255.00. An IPv6 address uses a 128-bit namespace, with the IPv6 address separated by colons and the netmask separated by periods. For example, 0:0:0:0:0:0:13.1.68.3, FF01::43, 0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:255.255.255.0, and FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000. |
$request.requestor_email$ | The email address of the person who submitted the request. |
$request.requestowner$ | The person who submitted the request. |
$request.subject$ | The subject name DN of the entity to which the certificate is issued. For example, uid=jsmith, e=jsmith@example.com. |
$request.tokencuid$ | The card unique ID (CUID) of the smart card token used for requesting the enrollment. |
$request.upn$ | The Microsoft UPN. This has the format (UTF8String)1.3.6.1.4.1.311.20.2.3,$request.upn$. |
$server.source$ | Instructs the server to generate a version 4 UUID (random number) component in the subject name. This always has the format (IA5String)1.2.3.4,$server.source$. |
Multiple attributes can be set for a single extension. The
subjAltNameNumGNs
parameter controls how many of the listed attributes are required to be added to the certificate. This parameter must be added to custom profiles and may need modified in default profiles to include as many attributes as required. In Example B.1, “Default Subject Alternative Name Extension Configuration”, the subjAltNameNumGNs
is set to 3
to insert the RFC822Name
, DNSName
, and URIName
names (generic names _0
, _1
, and _2
).
The following constraints can be defined with this default:
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
Pattern | Specifies the request attribute value to include in the extension. The attribute value must conform to any of the supported general name types. If the server finds the attribute in the request, it sets the attribute value in the extension and adds the extension to certificates. If multiple attributes are specified and none of the attributes are present in the request, the server does not add the Subject Alternative Name extension to certificates. The permissible value is a request attribute included in the certificate request. For example, $request.requester_email$. |
Type |
Specifies the general name type for the request attribute.
|
Source | Specifies an identification source or protocol to use to generate an ID. The only supported source is UUID4, which generates a random number to create the UUID. |
Number of Components (NumGNs) | Specifies the number of name components that must be included in the subject alternative name. |
B.1.25. Subject Directory Attributes Extension Default
This default attaches a Subject Directory Attributes extension to the certificate. The Subject Directory Attributes extension conveys any desired directory attribute values for the subject of the certificate.
The following constraints can be defined with this default:
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Critical | Select true to mark this extension critical; select false to mark the extension noncritical. |
Name | The attribute name; this can be any LDAP directory attribute, such as cn or mail . |
Pattern | Specifies the request attribute value to include in the extension. The attribute value must conform to the allowed values of the attribute. If the server finds the attribute, it sets the attribute value in the extension and adds the extension to certificates. If multiple attributes are specified and none of the attributes are present in the request, the server does not add the Subject Directory Attributes extension to certificates. For example, $request.requester_email$. |
Enable | Sets whether that attribute is able to be added to the certificate. Select true to enable the attribute. |
B.1.26. Subject Info Access Extension Default
Implements an enrollment default policy that populates a Subject Information Access extension in the certificate template. This extension indicates how to access information and services for the subject of the certificate in which the extension appears.
Parameter | Description |
---|---|
Critical | This extension is supposed to be non-critical. |
subjInfoAccessNumADs | The number of information access sections included with the certificate. |
subjInfoAccessADMethod_n | OID of the access method. |
subjInfoAccessADMethod_n | Type of access method.
|
subjInfoAccessADLocation_n |
Location based on the type subjInfoAccessADMethod_n
i.e., a URL for URI Name.
|
subjInfoAccessADEnable_n | Select true to enable this extension; select false to disable this extension. |
B.1.27. Subject Key Identifier Extension Default
This default attaches a Subject Key Identifier extension to the certificate. The extension identifies certificates that contain a particular public key, which identifies a certificate from among several that have the same subject name.
For general information about this extension, see Section B.3.16, “subjectKeyIdentifier”.
If enabled, the profile adds a Subject Key Identifier Extension to an enrollment request if the extension does not already exist. If the extension exists in the request, such as a CRMF request, the default replaces the extension. After an agent approves the manual enrollment request, the profile accepts any Subject Key Identifier Extension that is already there.
This default has no parameters. If used, this extension is included in the certificate with the public key information.
The following constraints can be defined with this default:
- Extension Constraint; see Section B.2.4, “Extension Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
B.1.28. Subject Name Default
This default attaches a server-side configurable subject name to the certificate request. A static subject name is used as the subject name in the certificate.
The following constraints can be defined with this default:
- Subject Name Constraint; see Section B.2.11, “Subject Name Constraint”.
- Unique Subject Name Constraint; see Section B.2.13, “Unique Subject Name Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
Name | Specify the subject name for this certificate. |
If you need to get a certificate subject name that uses the DNPATTERN value from the UidPwdDirAuth plugin, then configure the profile to use the Subject Name Default plugin and substitute the
Name
parameter with the "Subject Name" from the AuthToken as shown below.
policyset.userCertSet.1.default.class_id=subjectNameDefaultImpl policyset.userCertSet.1.default.name=Subject Name Default policyset.userCertSet.1.default.params.name=$request.auth_token.tokenCertSubject$
B.1.29. User Key Default
This default attaches a user-supplied key into the certificate request. This is a required default. Keys are part of the enrollment request.
The following constraints can be defined with this default:
- Key Constraint; see Section B.2.5, “Key Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
B.1.30. User Signing Algorithm Default
This default implements an enrollment default profile that populates a user-supplied signing algorithm in the certificate request. If included in the certificate profile, this allows a user to choose a signing algorithm for the certificate, subject to the constraint set.
No inputs are provided to add signing algorithm choices to the enrollment form, but it is possible to submit a request that contains this information.
The following constraints can be defined with this default:
- Signing Algorithm Constraint; see Section B.2.10, “Signing Algorithm Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
B.1.31. User Subject Name Default
This default attaches a user-supplied subject name to the certificate request. If included in the certificate profile, it allows a user to supply a subject name for the certificate, subject to the constraints set. This extension preserves the subject name that is specified in the original certificate request when the certificate is issued.
The following constraints can be defined with this default:
- Subject Name Constraint; see Section B.2.11, “Subject Name Constraint”.
- Unique Subject Name Constraint; see Section B.2.13, “Unique Subject Name Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
B.1.32. User Validity Default
This default attaches a user-supplied validity to the certificate request. If included in the certificate profile, it allows a user to supply the validity period, subject to the constraints set. This default profile preserves that user-defined validity period in the original certificate request when the certificate is issued.
No inputs are provided to add user-supplied validity date to the enrollment form, but it is possible to submit a request that contains this information.
The following constraints can be defined with this default:
- Validity Constraint; see Section B.2.15, “Validity Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
B.1.33. User Supplied Extension Default
The User Supplied Extension Default class populates a certificate with any certificate extension defined by the user in the certificate request. This requires users to submit certificate requests which meet certain standards or give certain information because the profile can require specific extensions before enrolling a certificate.
Warning
Be exceptionally cautious about setting this extension default, since it allows users to specify an extension in the certificate request. If this default is used, then Red Hat strongly recommends using a constraint corresponding to the extension to minimize any possible abuse of the User Supplied Extension Default.
The user-defined extension is validated against whatever constraint is set, so it is possible to restrict the kind of extension (through the Extension Constraint) or to set rules for the key and other basic constraints, such as whether this is a CA certificate.
The CA handles an enrollment with the User Supplied Extension Default in one of three ways:
- If the OID of the extension is specified in both the certificate request and the default, then the extension is validated by the constraints and applied to the certificate.
- If an OID of an extension is given in the request but is not specified in the User Supplied Extension Default in the profile, then the user-specified extension is ignored, and the certificate is successfully enrolled without that extension.
- If this extension is set on a profile with a corresponding OID (Extension Constraint), then any certificate request processed through that profile must carry the specified extension or the request is rejected.
A certificate request that contains the user-defined extensions must be submitted to the profile. The certificate enrollment forms, however, do not have any input fields for users to add user-supplied extensions. Submitting a certificate request without supplying the extension fails.
Example B.2, “User Supplied Extension Default for the Extended Key Usage Extension” adds the User Supplied Extension Default to a profile with the Extended Key Usage Constraint. The OID specified in the
userExtOID
parameter is for the Extended Key Usage Extension.
Example B.2. User Supplied Extension Default for the Extended Key Usage Extension
policyset.set1.2.constraint.class_id=extendedKeyUsageExtConstraintImpl policyset.set1.2.constraint.name=Extended Key Usage Extension policyset.set1.2.constraint.params.exKeyUsageCritical=false policyset.set1.2.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 policyset.set1.2.default.class_id=userExtensionDefaultImpl policyset.set1.2.default.name=User Supplied Extension Default policyset.set1.2.default.params.userExtOID=2.5.29.37
In Example B.2, “User Supplied Extension Default for the Extended Key Usage Extension”, although the User Supplied Extension Default allows a user to specify the Extended Key Usage Extension (2.5.29.37), the constraint limits the user request to only the TLS client authentication (1.3.6.1.5.5.7.3.2) and email protection (1.3.6.1.5.5.7.3.4) uses.
Editing profiles is described in the section called Creating and Editing Certificate Profiles Directly on the File System in Red Hat Certificate System Planning, Installation and Deployment Guide.
Example B.3. Multiple User Supplied Extensions in CSR
The RHCS enrollment profile framework allows to define multiple User Supplied Extensions in the same profile. For example, a combination of the following can be specified.
- For Extended Key Usage Extension:
policyset.serverCertSet.2.constraint.class_id=extendedKeyUsageExtConstraintImpl policyset.serverCertSet.2.constraint.name=Extended Key Usage Extension policyset.serverCertSet.2.constraint.params.exKeyUsageCritical=false policyset.serverCertSet.2.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 policyset.serverCertSet.2.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.2.default.name=User Supplied Extension Default policyset.serverCertSet.2.default.params.userExtOID=2.5.29.37
- For Key Usage Extension:By using the following format, you can apply a policy which parameter of the extension:
- Must exist in the CSR:
value = "true"
- Must not exist in the CSR:
value = "false"
- Is optional:
value = "-"
For example:policyset.serverCertSet.13.constraint.class_id=keyUsageExtConstraintImpl policyset.serverCertSet.13.constraint.name=Key Usage Extension Constraint policyset.serverCertSet.13.constraint.params.keyUsageCritical=- policyset.serverCertSet.13.constraint.params.keyUsageCrlSign=false policyset.serverCertSet.13.constraint.params.keyUsageDataEncipherment=- policyset.serverCertSet.13.constraint.params.keyUsageDecipherOnly=- policyset.serverCertSet.13.constraint.params.keyUsageDigitalSignature=- policyset.serverCertSet.13.constraint.params.keyUsageEncipherOnly=- policyset.serverCertSet.13.constraint.params.keyUsageKeyAgreement=true policyset.serverCertSet.13.constraint.params.keyUsageKeyCertSign=- policyset.serverCertSet.13.constraint.params.keyUsageKeyEncipherment=- policyset.serverCertSet.13.constraint.params.keyUsageNonRepudiation=- policyset.serverCertSet.13.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.13.default.name=User Supplied Key Usage Extension policyset.serverCertSet.13.default.params.userExtOID=2.5.29.15
Note
For an example on how to create a CSR with user-defined extensions attributes, see Section 5.2.1.2, “Using
certutil
to Create a CSR With User-defined Extensions”.
B.1.34. Validity Default
This default attaches a server-side configurable validity period into the certificate request.
The following constraints can be defined with this default:
- Validity Constraint; see Section B.2.15, “Validity Constraint”.
- No Constraints; see Section B.2.8, “No Constraint”.
Parameter | Description |
---|---|
range | Specifies the validity period for this certificate. |
startTime | Sets when the validity period begins, based on the current time. |