- Expand section "3.6.3. Using Random Certificate Serial Numbers" Collapse section "3.6.3. Using Random Certificate Serial Numbers"
- Expand section "3.7.4. Accepting SAN Extensions from a CSR" Collapse section "3.7.4. Accepting SAN Extensions from a CSR"
- 4.2. Testing the Key Archival and Recovery Setup
- 5.2. Creating Certificate Signing Requests Expand section "5.2. Creating Certificate Signing Requests" Collapse section "5.2. Creating Certificate Signing Requests"
- Expand section "5.2.1. Generating CSRs Using Command-Line Utilities" Collapse section "5.2.1. Generating CSRs Using Command-Line Utilities"
- Expand section "5.2.1.1. Creating a CSR Using certutil" Collapse section "5.2.1.1. Creating a CSR Using certutil"
- Expand section "5.2.1.2. Creating a CSR Using PKCS10Client" Collapse section "5.2.1.2. Creating a CSR Using PKCS10Client"
- Expand section "5.2.1.3. Creating a CSR Using CRMFPopClient" Collapse section "5.2.1.3. Creating a CSR Using CRMFPopClient"
- Expand section "5.2.1.1. Creating a CSR Using certutil" Collapse section "5.2.1.1. Creating a CSR Using certutil"
- Expand section "5.2.2. Generating CSRs Using Server-Side Key Generation" Collapse section "5.2.2. Generating CSRs Using Server-Side Key Generation"
- Expand section "5.2.2.4. Additional Information" Collapse section "5.2.2.4. Additional Information"
- Expand section "5.2.2.4. Additional Information" Collapse section "5.2.2.4. Additional Information"
- Expand section "5.2.1. Generating CSRs Using Command-Line Utilities" Collapse section "5.2.1. Generating CSRs Using Command-Line Utilities"
- 5.3. Configuring Internet Explorer to Enroll Certificates Expand section "5.3. Configuring Internet Explorer to Enroll Certificates" Collapse section "5.3. Configuring Internet Explorer to Enroll Certificates"
- 5.4. Requesting and Receiving Certificates Expand section "5.4. Requesting and Receiving Certificates" Collapse section "5.4. Requesting and Receiving Certificates"
- 5.5. Renewing Certificates Expand section "5.5. Renewing Certificates" Collapse section "5.5. Renewing Certificates"
- Expand section "5.5.1. Same Keys Renewal" Collapse section "5.5.1. Same Keys Renewal"
- Expand section "5.5.1.1. Reusing CSR" Collapse section "5.5.1.1. Reusing CSR"
- Expand section "5.5.1.1. Reusing CSR" Collapse section "5.5.1.1. Reusing CSR"
- Expand section "5.5.1. Same Keys Renewal" Collapse section "5.5.1. Same Keys Renewal"
- 5.6. Submitting Certificate requests Using CMC Expand section "5.6. Submitting Certificate requests Using CMC" Collapse section "5.6. Submitting Certificate requests Using CMC"
- Expand section "5.6.1. Using CMC Enrollment" Collapse section "5.6.1. Using CMC Enrollment"
- Expand section "5.6.3. Practical CMC Enrollment Scenarios" Collapse section "5.6.3. Practical CMC Enrollment Scenarios"
- Expand section "5.6.3.2. Obtaining the First Signing Certificate for a User" Collapse section "5.6.3.2. Obtaining the First Signing Certificate for a User"
- Expand section "5.6.3.3. Obtaining an Encryption-only Certificate for a User" Collapse section "5.6.3.3. Obtaining an Encryption-only Certificate for a User"
- Expand section "5.6.3.2. Obtaining the First Signing Certificate for a User" Collapse section "5.6.3.2. Obtaining the First Signing Certificate for a User"
- Expand section "5.6.1. Using CMC Enrollment" Collapse section "5.6.1. Using CMC Enrollment"
- 5.7. Performing Bulk Issuance
- 5.8. Enrolling a Certificate on a Cisco Router Expand section "5.8. Enrolling a Certificate on a Cisco Router" Collapse section "5.8. Enrolling a Certificate on a Cisco Router"
- 6.2. TPS Operations
- 6.3. Token Policies
- 6.4. Token Operation and Policy Processing
- 6.5. Internal Registration
- 6.6. External Registration Expand section "6.6. External Registration" Collapse section "6.6. External Registration"
- 6.7. Mapping Resolver Configuration Expand section "6.7. Mapping Resolver Configuration" Collapse section "6.7. Mapping Resolver Configuration"
- 6.8. Authentication Configuration
- 6.9. Connectors
- 6.10. Revocation Routing Configuration
- 6.11. Setting Up Server-side Key Generation
- 6.12. Setting Up New Key Sets
- 6.13. Setting Up a New Master Key Expand section "6.13. Setting Up a New Master Key" Collapse section "6.13. Setting Up a New Master Key"
- 6.14. Setting Up a TKS/TPS Shared Symmetric Key Expand section "6.14. Setting Up a TKS/TPS Shared Symmetric Key" Collapse section "6.14. Setting Up a TKS/TPS Shared Symmetric Key"
- 6.15. Using Different Applets for Different SCP Versions
- Expand section "7.1. About Revoking Certificates" Collapse section "7.1. About Revoking Certificates"
- 7.2. Performing a CMC Revocation Expand section "7.2. Performing a CMC Revocation" Collapse section "7.2. Performing a CMC Revocation"
- Expand section "7.2.2. Revoking a Certificate Using CMCRevoke" Collapse section "7.2.2. Revoking a Certificate Using CMCRevoke"
- Expand section "7.2.2. Revoking a Certificate Using CMCRevoke" Collapse section "7.2.2. Revoking a Certificate Using CMCRevoke"
- 7.3. Issuing CRLs Expand section "7.3. Issuing CRLs" Collapse section "7.3. Issuing CRLs"
- Expand section "7.3.5. Generating CRLs from Cache" Collapse section "7.3.5. Generating CRLs from Cache"
- Expand section "7.3.5. Generating CRLs from Cache" Collapse section "7.3.5. Generating CRLs from Cache"
- 7.4. Setting Full and Delta CRL Schedules Expand section "7.4. Setting Full and Delta CRL Schedules" Collapse section "7.4. Setting Full and Delta CRL Schedules"
- 7.5. Enabling Revocation Checking
- 7.6. Using the Online Certificate Status Protocol [OCSP] Responder Expand section "7.6. Using the Online Certificate Status Protocol [OCSP] Responder" Collapse section "7.6. Using the Online Certificate Status Protocol [OCSP] Responder"
- Expand section "7.6.2. Identifying the CA to the OCSP Responder" Collapse section "7.6.2. Identifying the CA to the OCSP Responder"
- Expand section "7.6.2. Identifying the CA to the OCSP Responder" Collapse section "7.6.2. Identifying the CA to the OCSP Responder"
- 8. Publishing Certificates and CRLs Expand section "8. Publishing Certificates and CRLs" Collapse section "8. Publishing Certificates and CRLs"
- Expand section "8.1. About Publishing" Collapse section "8.1. About Publishing"
- 8.2. Configuring Publishing to a File
- 8.3. Configuring Publishing to an OCSP Expand section "8.3. Configuring Publishing to an OCSP" Collapse section "8.3. Configuring Publishing to an OCSP"
- 8.4. Configuring Publishing to an LDAP Directory Expand section "8.4. Configuring Publishing to an LDAP Directory" Collapse section "8.4. Configuring Publishing to an LDAP Directory"
- 8.5. Creating Rules
- 8.6. Enabling Publishing
- 8.7. Enabling a Publishing Queue
- 8.8. Setting up Resumable CRL Downloads Expand section "8.8. Setting up Resumable CRL Downloads" Collapse section "8.8. Setting up Resumable CRL Downloads"
- 8.9. Publishing Cross-Pair Certificates
- 8.10. Testing Publishing to Files
- 8.11. Viewing Certificates and CRLs Published to File
- 8.12. Updating Certificates and CRLs in a Directory Expand section "8.12. Updating Certificates and CRLs in a Directory" Collapse section "8.12. Updating Certificates and CRLs in a Directory"
- 8.13. Registering Custom Mapper and Publisher Plug-in Modules
- Expand section "8.1. About Publishing" Collapse section "8.1. About Publishing"
- 9. Authentication for Enrolling Certificates Expand section "9. Authentication for Enrolling Certificates" Collapse section "9. Authentication for Enrolling Certificates"
- 9.2. Automated Enrollment Expand section "9.2. Automated Enrollment" Collapse section "9.2. Automated Enrollment"
- Expand section "9.2.4. Configuring Flat File Authentication" Collapse section "9.2.4. Configuring Flat File Authentication"
- Expand section "9.2.4. Configuring Flat File Authentication" Collapse section "9.2.4. Configuring Flat File Authentication"
- 9.3. CMC Authentication Plug-ins
- 9.4. CMC SharedSecret Authentication Expand section "9.4. CMC SharedSecret Authentication" Collapse section "9.4. CMC SharedSecret Authentication"
- Expand section "9.4.2. Setting a CMC Shared Secret" Collapse section "9.4.2. Setting a CMC Shared Secret"
- Expand section "9.4.2. Setting a CMC Shared Secret" Collapse section "9.4.2. Setting a CMC Shared Secret"
- 9.5. Testing Enrollment
- 9.6. Registering Custom Authentication Plug-ins
- 9.7. Manually Reviewing the Certificate Status Using the Command Line
- 9.8. Manually Reviewing the Certificate Status Using the Web Interface
- 9.2. Automated Enrollment Expand section "9.2. Automated Enrollment" Collapse section "9.2. Automated Enrollment"
- 10. Authorization for Enrolling Certificates [Access Evaluators] Expand section "10. Authorization for Enrolling Certificates [Access Evaluators]" Collapse section "10. Authorization for Enrolling Certificates [Access Evaluators]"
- 10.2. Default Evaluators
- 11. Using Automated Notifications Expand section "11. Using Automated Notifications" Collapse section "11. Using Automated Notifications"
- Expand section "11.1. About Automated Notifications for the CA" Collapse section "11.1. About Automated Notifications for the CA"
- 11.2. Setting up Automated Notifications for the CA Expand section "11.2. Setting up Automated Notifications for the CA" Collapse section "11.2. Setting up Automated Notifications for the CA"
- 11.3. Customizing Notification Messages Expand section "11.3. Customizing Notification Messages" Collapse section "11.3. Customizing Notification Messages"
- 11.4. Configuring a Mail Server for Certificate System Notifications
- 11.5. Creating Custom Notifications for the CA
- Expand section "11.1. About Automated Notifications for the CA" Collapse section "11.1. About Automated Notifications for the CA"
- 12. Setting Automated Jobs Expand section "12. Setting Automated Jobs" Collapse section "12. Setting Automated Jobs"
- Expand section "12.1. About Automated Jobs" Collapse section "12.1. About Automated Jobs"
- Expand section "12.1.2. Types of Automated Jobs" Collapse section "12.1.2. Types of Automated Jobs"
- Expand section "12.1.2. Types of Automated Jobs" Collapse section "12.1.2. Types of Automated Jobs"
- 12.2. Setting up the Job Scheduler
- 12.3. Setting up Specific Jobs Expand section "12.3. Setting up Specific Jobs" Collapse section "12.3. Setting up Specific Jobs"
- 12.4. Registering a Job Module
- Expand section "12.1. About Automated Jobs" Collapse section "12.1. About Automated Jobs"
- 13. Basic Subsystem Management Expand section "13. Basic Subsystem Management" Collapse section "13. Basic Subsystem Management"
- 13.2. PKI Instance Execution Management Expand section "13.2. PKI Instance Execution Management" Collapse section "13.2. PKI Instance Execution Management"
- 13.3. Opening Subsystem Consoles and Services Expand section "13.3. Opening Subsystem Consoles and Services" Collapse section "13.3. Opening Subsystem Consoles and Services"
- 13.4. Running Subsystems under a Java Security Manager Expand section "13.4. Running Subsystems under a Java Security Manager" Collapse section "13.4. Running Subsystems under a Java Security Manager"
- 13.5. Configuring the LDAP Database Expand section "13.5. Configuring the LDAP Database" Collapse section "13.5. Configuring the LDAP Database"
- 13.6. Viewing Security Domain Configuration
- 13.7. Managing the SELinux Policies for Subsystems Expand section "13.7. Managing the SELinux Policies for Subsystems" Collapse section "13.7. Managing the SELinux Policies for Subsystems"
- 13.8. Backing up and Restoring Certificate System Expand section "13.8. Backing up and Restoring Certificate System" Collapse section "13.8. Backing up and Restoring Certificate System"
- Expand section "13.8.1. Backing up and Restoring the LDAP Internal Database" Collapse section "13.8.1. Backing up and Restoring the LDAP Internal Database"
- Expand section "13.8.1.1. Backing up the LDAP Internal Database" Collapse section "13.8.1.1. Backing up the LDAP Internal Database"
- Expand section "13.8.1.2. Restoring the LDAP Internal Database" Collapse section "13.8.1.2. Restoring the LDAP Internal Database"
- Expand section "13.8.1.1. Backing up the LDAP Internal Database" Collapse section "13.8.1.1. Backing up the LDAP Internal Database"
- Expand section "13.8.1. Backing up and Restoring the LDAP Internal Database" Collapse section "13.8.1. Backing up and Restoring the LDAP Internal Database"
- 13.9. Running Self-Tests Expand section "13.9. Running Self-Tests" Collapse section "13.9. Running Self-Tests"
- Expand section "13.9.1. Running Self-Tests" Collapse section "13.9.1. Running Self-Tests"
- Expand section "13.9.3. Configuring POSIX System ACLs" Collapse section "13.9.3. Configuring POSIX System ACLs"
- Expand section "13.9.1. Running Self-Tests" Collapse section "13.9.1. Running Self-Tests"
- 13.2. PKI Instance Execution Management Expand section "13.2. PKI Instance Execution Management" Collapse section "13.2. PKI Instance Execution Management"
- 14. Managing Certificate System Users and Groups Expand section "14. Managing Certificate System Users and Groups" Collapse section "14. Managing Certificate System Users and Groups"
- 14.2. Default Groups Expand section "14.2. Default Groups" Collapse section "14.2. Default Groups"
- 14.3. Managing Users and Groups for a CA, OCSP, KRA, or TKS Expand section "14.3. Managing Users and Groups for a CA, OCSP, KRA, or TKS" Collapse section "14.3. Managing Users and Groups for a CA, OCSP, KRA, or TKS"
- Expand section "14.3.1. Managing Groups" Collapse section "14.3.1. Managing Groups"
- Expand section "14.3.2. Managing Users [Administrators, Agents, and Auditors]" Collapse section "14.3.2. Managing Users [Administrators, Agents, and Auditors]"
- Expand section "14.3.2.1. Creating Users" Collapse section "14.3.2.1. Creating Users"
- Expand section "14.3.2.1. Creating Users" Collapse section "14.3.2.1. Creating Users"
- Expand section "14.3.1. Managing Groups" Collapse section "14.3.1. Managing Groups"
- 14.4. Creating and Managing Users for a TPS Expand section "14.4. Creating and Managing Users for a TPS" Collapse section "14.4. Creating and Managing Users for a TPS"
- Expand section "14.4.1. Listing and Searching for Users" Collapse section "14.4.1. Listing and Searching for Users"
- Expand section "14.4.2. Adding Users" Collapse section "14.4.2. Adding Users"
- Expand section "14.4.2.1. From the Web UI" Collapse section "14.4.2.1. From the Web UI"
- Expand section "14.4.2.1. From the Web UI" Collapse section "14.4.2.1. From the Web UI"
- Expand section "14.4.4. Managing User Roles" Collapse section "14.4.4. Managing User Roles"
- Expand section "14.4.1. Listing and Searching for Users" Collapse section "14.4.1. Listing and Searching for Users"
- 14.5. Configuring Access Control for Users Expand section "14.5. Configuring Access Control for Users" Collapse section "14.5. Configuring Access Control for Users"
- 14.2. Default Groups Expand section "14.2. Default Groups" Collapse section "14.2. Default Groups"
- 15. Configuring Subsystem Logs Expand section "15. Configuring Subsystem Logs" Collapse section "15. Configuring Subsystem Logs"
- Expand section "15.1. About Certificate System Logs" Collapse section "15.1. About Certificate System Logs"
- Expand section "15.1.3. Debug Logs" Collapse section "15.1.3. Debug Logs"
- Expand section "15.1.3. Debug Logs" Collapse section "15.1.3. Debug Logs"
- 15.2. Managing Logs Expand section "15.2. Managing Logs" Collapse section "15.2. Managing Logs"
- Expand section "15.2.1. An Overview of Log Settings" Collapse section "15.2.1. An Overview of Log Settings"
- Expand section "15.2.4. Managing Audit Logs" Collapse section "15.2.4. Managing Audit Logs"
- Expand section "15.2.1. An Overview of Log Settings" Collapse section "15.2.1. An Overview of Log Settings"
- 15.3. Using Logs Expand section "15.3. Using Logs" Collapse section "15.3. Using Logs"
- Expand section "15.3.2. Using Signed Audit Logs" Collapse section "15.3.2. Using Signed Audit Logs"
- Expand section "15.3.3. Displaying Operating System-level Audit Logs" Collapse section "15.3.3. Displaying Operating System-level Audit Logs"
- Expand section "15.3.2. Using Signed Audit Logs" Collapse section "15.3.2. Using Signed Audit Logs"
- Expand section "15.1. About Certificate System Logs" Collapse section "15.1. About Certificate System Logs"
- 16. Managing Subsystem Certificates Expand section "16. Managing Subsystem Certificates" Collapse section "16. Managing Subsystem Certificates"
- Expand section "16.1. Required Subsystem Certificates" Collapse section "16.1. Required Subsystem Certificates"
- Expand section "16.1.1. Certificate Manager Certificates" Collapse section "16.1.1. Certificate Manager Certificates"
- Expand section "16.1.2. Online Certificate Status Manager Certificates" Collapse section "16.1.2. Online Certificate Status Manager Certificates"
- Expand section "16.1.3. Key Recovery Authority Certificates" Collapse section "16.1.3. Key Recovery Authority Certificates"
- Expand section "16.1.4. TKS Certificates" Collapse section "16.1.4. TKS Certificates"
- Expand section "16.1.5. TPS Certificates" Collapse section "16.1.5. TPS Certificates"
- Expand section "16.1.1. Certificate Manager Certificates" Collapse section "16.1.1. Certificate Manager Certificates"
- 16.2. Requesting Certificates through the Console Expand section "16.2. Requesting Certificates through the Console" Collapse section "16.2. Requesting Certificates through the Console"
- 16.3. Renewing Subsystem Certificates Expand section "16.3. Renewing Subsystem Certificates" Collapse section "16.3. Renewing Subsystem Certificates"
- 16.4. Changing the Names of Subsystem Certificates
- 16.5. Using Cross-Pair Certificates Expand section "16.5. Using Cross-Pair Certificates" Collapse section "16.5. Using Cross-Pair Certificates"
- 16.6. Managing the Certificate Database Expand section "16.6. Managing the Certificate Database" Collapse section "16.6. Managing the Certificate Database"
- Expand section "16.6.1. Installing Certificates in the Certificate System Database" Collapse section "16.6.1. Installing Certificates in the Certificate System Database"
- Expand section "16.6.2. Viewing Database Content" Collapse section "16.6.2. Viewing Database Content"
- Expand section "16.6.3. Deleting Certificates from the Database" Collapse section "16.6.3. Deleting Certificates from the Database"
- Expand section "16.6.1. Installing Certificates in the Certificate System Database" Collapse section "16.6.1. Installing Certificates in the Certificate System Database"
- 16.7. Changing the Trust Settings of a CA Certificate Expand section "16.7. Changing the Trust Settings of a CA Certificate" Collapse section "16.7. Changing the Trust Settings of a CA Certificate"
- 16.8. Managing Tokens Used by the Subsystems Expand section "16.8. Managing Tokens Used by the Subsystems" Collapse section "16.8. Managing Tokens Used by the Subsystems"
- Expand section "16.1. Required Subsystem Certificates" Collapse section "16.1. Required Subsystem Certificates"
- 17. Setting Time and Date in Red Hat Enterprise Linux 7
- 18. Determining Certificate System Product Version
- 19. Updating Red Hat Certificate System
- 20. Troubleshooting
- 21. Subsystem Control And maintenance Expand section "21. Subsystem Control And maintenance" Collapse section "21. Subsystem Control And maintenance"
- 21.2. Subsystem Health Check
- A. Certificate Profile Input and Output Reference Expand section "A. Certificate Profile Input and Output Reference" Collapse section "A. Certificate Profile Input and Output Reference"
- Expand section "A.1. Input Reference" Collapse section "A.1. Input Reference"
- A.2. Output Reference Expand section "A.2. Output Reference" Collapse section "A.2. Output Reference"
- Expand section "A.1. Input Reference" Collapse section "A.1. Input Reference"
- B. Defaults, Constraints, and Extensions for Certificates and CRLs Expand section "B. Defaults, Constraints, and Extensions for Certificates and CRLs" Collapse section "B. Defaults, Constraints, and Extensions for Certificates and CRLs"
- Expand section "B.1. Defaults Reference" Collapse section "B.1. Defaults Reference"
- B.2. Constraints Reference Expand section "B.2. Constraints Reference" Collapse section "B.2. Constraints Reference"
- B.3. Standard X.509 v3 Certificate Extension Reference Expand section "B.3. Standard X.509 v3 Certificate Extension Reference" Collapse section "B.3. Standard X.509 v3 Certificate Extension Reference"
- B.4. CRL Extensions Expand section "B.4. CRL Extensions" Collapse section "B.4. CRL Extensions"
- Expand section "B.4.1. About CRL Extensions" Collapse section "B.4.1. About CRL Extensions"
- Expand section "B.4.2. Standard X.509 v3 CRL Extensions Reference" Collapse section "B.4.2. Standard X.509 v3 CRL Extensions Reference"
- Expand section "B.4.2.1. Extensions for CRLs" Collapse section "B.4.2.1. Extensions for CRLs"
- Expand section "B.4.2.2. CRL Entry Extensions" Collapse section "B.4.2.2. CRL Entry Extensions"
- Expand section "B.4.2.1. Extensions for CRLs" Collapse section "B.4.2.1. Extensions for CRLs"
- Expand section "B.4.3. Netscape-Defined Certificate Extensions Reference" Collapse section "B.4.3. Netscape-Defined Certificate Extensions Reference"
- Expand section "B.4.1. About CRL Extensions" Collapse section "B.4.1. About CRL Extensions"
- Expand section "B.1. Defaults Reference" Collapse section "B.1. Defaults Reference"
- C. Publishing Module Reference Expand section "C. Publishing Module Reference" Collapse section "C. Publishing Module Reference"
- Expand section "C.1. Publisher Plug-in Modules" Collapse section "C.1. Publisher Plug-in Modules"
- C.2. Mapper Plug-in Modules Expand section "C.2. Mapper Plug-in Modules " Collapse section "C.2. Mapper Plug-in Modules "
- Expand section "C.2.1. LdapCaSimpleMap" Collapse section "C.2.1. LdapCaSimpleMap"
- Expand section "C.2.5. LdapDNCompsMap" Collapse section "C.2.5. LdapDNCompsMap"
- Expand section "C.2.1. LdapCaSimpleMap" Collapse section "C.2.1. LdapCaSimpleMap"
- C.3. Rule Instances Expand section "C.3. Rule Instances" Collapse section "C.3. Rule Instances"
- Expand section "C.1. Publisher Plug-in Modules" Collapse section "C.1. Publisher Plug-in Modules"
- D. ACL Reference Expand section "D. ACL Reference" Collapse section "D. ACL Reference"
- D.2. Common ACLs Expand section "D.2. Common ACLs" Collapse section "D.2. Common ACLs"
- D.3. Certificate Manager-Specific ACLs Expand section "D.3. Certificate Manager-Specific ACLs" Collapse section "D.3. Certificate Manager-Specific ACLs"
- D.4. Key Recovery Authority-Specific ACLs Expand section "D.4. Key Recovery Authority-Specific ACLs" Collapse section "D.4. Key Recovery Authority-Specific ACLs"
- D.5. Online Certificate Status Manager-Specific ACLs Expand section "D.5. Online Certificate Status Manager-Specific ACLs" Collapse section "D.5. Online Certificate Status Manager-Specific ACLs"
- D.6. Token Key Service-Specific ACLs Expand section "D.6. Token Key Service-Specific ACLs" Collapse section "D.6. Token Key Service-Specific ACLs"
- D.2. Common ACLs Expand section "D.2. Common ACLs" Collapse section "D.2. Common ACLs"
- E. Audit Events Expand section "E. Audit Events" Collapse section "E. Audit Events"
- Glossary
- Index
Settings Close
- Language: Language:
- 日本語
- 简体中文
- English
- Format: Format:
- Multi-page
- Single-page
- ePub
Language and Page Formatting Options
- Language: Language:
- 日本語
- 简体中文
- English
- Format: Format:
- Multi-page
- Single-page
- ePub
B.3. Standard X.509 v3 Certificate Extension Reference
An X.509 v3 certificate contains an extension field that permits any number of additional fields to be added to the certificate. Certificate extensions provide a way of adding information such as alternative subject names and usage restrictions to certificates. Older Netscape servers, such as Red Hat Directory Server and Red Hat Certificate System, that were developed before PKIX part 1 standards were defined require Netscape-specific extensions.
The following is an example of the section of a certificate containing X.509 v3 extensions. The Certificate System can display certificates in readable pretty-print format, as shown here. As in this example, certificate extensions appear in sequence and only one instance of a particular extension may appear per certificate; for example, a certificate may contain only one subject key identifier extension. Certificates that support these extensions have the version 0x2
[which corresponds to version 3].
Example B.4. Sample Pretty-Print Certificate Extensions
Data: Version: v3 Serial Number: 0x1 Signature Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5 Issuer: CN=Certificate Manager,OU=netscape,O=ExampleCorp,L=MV,ST=CA,C=US Validity: Not Before: Friday, February 21, 2005 12:00:00 AM PST America/Los_Angeles Not After: Monday, February 21, 2007 12:00:00 AM PST America/Los_Angeles Subject: CN=Certificate Manager,OU=netscape,O=ExampleCorp,L=MV,ST=CA,C=US Subject Public Key Info: Algorithm: RSA - 1.2.840.113549.1.1.1 Public Key: Exponent: 65537 Public Key Modulus: [2048 bits] : E4:71:2A:CE:E4:24:DC:C4:AB:DF:A3:2E:80:42:0B:D9: CF:90:BE:88:4A:5C:C5:B3:73:BF:49:4D:77:31:8A:88: 15:A7:56:5F:E4:93:68:83:00:BB:4F:C0:47:03:67:F1: 30:79:43:08:1C:28:A8:97:70:40:CA:64:FA:9E:42:DF: 35:3D:0E:75:C6:B9:F2:47:0B:D5:CE:24:DD:0A:F7:84: 4E:FA:16:29:3B:91:D3:EE:24:E9:AF:F6:A1:49:E1:96: 70:DE:6F:B2:BE:3A:07:1A:0B:FD:FE:2F:75:FD:F9:FC: 63:69:36:B6:5B:09:C6:84:92:17:9C:3E:64:C3:C4:C9 Extensions: Identifier: Netscape Certificate Type - 2.16.840.1.113730.1.1 Critical: no Certificate Usage: SSL CA Secure Email CA ObjectSigning CA Identifier: Basic Constraints - 2.5.29.19 Critical: yes Is CA: yes Path Length Constraint: UNLIMITED Identifier: Subject Key Identifier - 2.5.29.14 Critical: no Key Identifier: 3B:46:83:85:27:BC:F5:9D:8E:63:E3:BE:79:EF:AF:79: 9C:37:85:84 Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: 3B:46:83:85:27:BC:F5:9D:8E:63:E3:BE:79:EF:AF:79: 9C:37:85:84 Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Key CertSign Crl Sign Signature: Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5 Signature: AA:96:65:3D:10:FA:C7:0B:74:38:2D:93:54:32:C0:5B: 2F:18:93:E9:7C:32:E6:A4:4F:4E:38:93:61:83:3A:6A: A2:11:91:C2:D2:A3:48:07:6C:07:54:A8:B8:42:0E:B4: E4:AE:42:B4:B5:36:24:46:4F:83:61:64:13:69:03:DF: 41:88:0B:CB:39:57:8C:6B:9F:52:7E:26:F9:24:5E:E7: BC:FB:FD:93:13:AF:24:3A:8F:DB:E3:DC:C9:F9:1F:67: A8:BD:0B:95:84:9D:EB:FC:02:95:A0:49:2C:05:D4:B0: 35:EA:A6:80:30:20:FF:B1:85:C8:4B:74:D9:DC:BB:50
An object identifier [OID] is a string of numbers identifying a unique object, such as a certificate extension or a company's certificate practice statement. The Certificate System comes with a set of extension-specific profile plug-in modules which enable X.509 certificate extensions to be added to the certificates the server issues. Some of the extensions contain fields for specifying OIDs.
The PKIX standard recommends that all objects, such as extensions and statements, that are used in certificates be included in the form of an OID. This promotes interoperability between organizations on a shared network. If certificates will be issued that will be used on shared networks, register the OID prefixes with the appropriate registration authority.
OIDs are controlled by the International Standards Organization [ISO] registration authority. In some cases, this authority is delegated by ISO to regional registration authorities. In the United States, the American National Standards Institute [ANSI] manages this registration.
Using an OID registered to another organization or failing to register an OID may carry legal consequences, depending the situation. Registration may be subject to fees. For more information, contact the appropriate registration authority.
To define or assign OIDs for custom objects, know the company's arc, an OID for a private enterprise. If the company does not have an arc, it needs to get one. The //www.alvestrand.no/objectid/ has more information on registering and using OIDs.
For example, the Netscape-defined OID for an extension named Netscape Certificate Comment
is 2.16.840.1.113730.1.13. The OID assigned to this extension is hierarchical and includes the former Netscape company arc, 2.16.840.1
. The OID definition entry is //www.alvestrand.no/objectid/2.16.840.1.113730.1.13.html.
If an OID extension exists in a certificate and is marked critical, the application validating the certificate must be able to interpret the extension, including any optional qualifiers, or it must reject the certificate. Since it is unlikely that all applications will be able to interpret a company's custom extensions embedded in the form of OIDs, the PKIX standard recommends that the extension be always marked noncritical.
This section summarizes the extension types defined as part of the Internet X.509 version 3 standard and indicates which types are recommended by the PKIX working group.
This reference summarizes important information about each certificate. For complete details, see both the X.509 v3 standard, available from the ITU, and Internet X.509 Public Key Infrastructure - Certificate and CRL Profile [RFC 3280], available at RFC 3280. The descriptions of extensions reference the RFC and section number of the standard draft that discusses the extension; the object identifier [OID] for each extension is also provided.
Each extension in a certificate can be designated as critical or noncritical. A certificate-using system, such as a web browser, must reject the certificate if it encounters a critical extension it does not recognize; however, a noncritical extension can be ignored if it is not recognized.
B.3.1. authorityInfoAccess
The Authority Information Access extension indicates how and where to access information about the issuer of the certificate. The extension contains an accessMethod
and an accessLocation
field. accessMethod
specifies by OID the type and format of information about the issuer named in accessLocation
.
PKIX Part 1 defines one accessMethod
[id-ad-caIssuers
] to get a list of CAs that have issued certificates higher in the CA chain than the issuer of the certificate using the extension. The accessLocation
field then typically contains a URL indicating the location and protocol [LDAP, HTTP, or FTP] used to retrieve the list.
The Online Certificate Status Protocol [RFC 2560], available at RFC 2560, defines an accessMethod [0x2
1] for using OCSP to verify certificates. The accessLocation
field then contains a URL indicating the location and protocol used to access an OCSP responder that can validate the certificate.
OID
1.3.6.1.5.5.7.1.1
Criticality
This extension must be noncritical.
B.3.2. authorityKeyIdentifier
The Authority Key Identifier extension identifies the public key corresponding to the private key used to sign a certificate. This extension is useful when an issuer has multiple signing keys, such as when a CA certificate is renewed.
The extension consists of one or both of the following:
An explicit key identifier, set in the
0x2
3 fieldAn issuer, set in the
0x2
4 field, and serial number, set in the0x2
5 field, identifying a certificate
If the 0x2
3 field exists, it is used to select the certificate with a matching 0x2
7 extension. If the 0x2
4 and 0x2
5 fields are present, then they are used to identify the correct certificate by Netscape Certificate Comment
0 and Netscape Certificate Comment
1.
If this extension is not present, then the issuer name alone is used to identify the issuer certificate.
PKIX Part 1 requires this extension for all CA certificates and recommends it for all other certificates.