Mandatory Fields
| Serial Number | |
| Issuer DN | |
| Validity | |
| Subject DN | |
| Subject Public Key Info | Contains key algorithm, size and info. |
Certificate Extensions
| Basic Contraints | Critical | If CA or not. |
| Authority Key Identifier | Hash of CA public key. | |
| Subject Key Identifier | Hash of public key. | |
| Authority Information Access | Contains URL to OCSP and CA certificate. | |
| CRL Distribution Points | URL to CRL. | |
| Certificate Policies | Organization OID for their certificate policy.. | |
| Key Usage | Critical | Key usage attribute derived from Extended Key Usage. |
| Extended Key Usage | Typical values are from RFC 5280. | |
| Subject Alternative Names | Their are different SAN: DNS (for web servers), email (S-MIME) and UPN (Windows login). |
RFC 5280
https://tools.ietf.org/html/rfc5280#section-4.2.1.3
Key Usage:
- digitalSignature -
- nonRepudiation -
- keyEncipherment - "subject public key (e.g. RSA) is used for enciphering private or secret keys"
- dataEncipherment - "NOTE that the use of this bit is extremely uncommon"
- keyAgreement - "subject public key is used for key agreement (Diffie-Hellman key)"
- keyCertSign - "If set then CA bit in the basic constraints extension MUST also be set"
- cRLSign -
Extended Key Usage:
- serverAuth - Key Usage may be: digitalSignature, keyEncipherment or keyAgreement
- clientAuth - Key Usage may be: digitalSignature and/or keyAgreement
- codeSigning - Key Usage may be: digitalSignature
- emailProtection - Key Usage may be: digitalSignature, nonRepudiation, and/or (keyEncipherment or keyAgreement)
- timeStamping - Key Usage may be: digitalSignature and/or nonRepudiation
- OCSPSigning - Key Usage may be: digitalSignature and/or nonRepudiation
EJBCA CE ROOT CA
Basic Constraints - CRITICAL
CA:TRUE
Path Length Constraint: Unlimited
Authority Key ID
Subject Key ID
Key Usage - CRITICAL:
digitalSignature
keyCertSign
cRLSign
Extended Key Usage:
-
Dogtag caCert
https://github.com/dogtagpki/pki/blob/master/base/ca/shared/conf/caCert.profile
Basic Constraints - CRITICAL
CA:TRUE
Path Length Constraint: Unlimited
Authority Key ID
Subject Key ID
Key Usage - CRITICAL:
digitalSignature
nonRepudiation
keyCertSign
cRLSign
Extended Key Usage:
-
EJBCA CE SERVER
Basic Constraints - CRITICAL
Authority Key ID
Subject Key ID
Key Usage - CRITICAL:
digitalSignature
keyEncipherment
Extended Key Usage:
serverAuth
Dogtag rsaServerCert
https://github.com/dogtagpki/pki/blob/master/base/ca/shared/conf/rsaServerCert.profile
Authority Key ID
Key Usage - CRITICAL:
digitalSignature
dataEncipherment
keyEncipherment
Extended Key Usage:
serverAuth
EJBCA CE END USER
Basic Constraints - CRITICAL
Authority Key ID
Subject Key ID
Key Usage - Critical:
digitalSignature
nonRepudiation
keyEncipherment
Extended Key Usage:
clientAuth
emailProtection
Dogtag rsaSubsystemCert
https://github.com/dogtagpki/pki/blob/master/base/ca/shared/conf/rsaSubsystemCert.profile
Authority Key ID
Key Usage - Critical:
digitalSignature
nonRepudiation
dataEncipherment
keyEncipherment
Extended Key Usage:
clientAuth
EJBCA CE OCSP
Basic Constraints - CRITICAL
Authority Key ID
Subject Key ID
Key Usage - CRITICAL:
digitalSignature
Extended Key Usage:
OCSPSigning
OCSP No Check
Dogtag caOCSPCert
https://github.com/dogtagpki/pki/blob/master/base/ca/shared/conf/caOCSPCert.profile
Basic Constraints - CRITICAL
Authority Key ID
Subject Key ID
Key Usage:
-
Extended Key Usage:
OCSPSigning
com.netscape.cms.profile.def.OCSPNoCheckExtDefault