CA Certificates and Extension Interactions
Appendix
C
Certificate and CRL Extensions
369
A certificate chain generally consists of an entity certificate, zero or more
intermediate CA certificates, and a root CA certificate. Typically the root CA
certificate is self-signed and is loaded into Communicator's certificate database as a
trusted CA.
An exchange of certificates takes place when performing an SSL handshake, when
sending an S/MIME message, or when sending a signed object. As part of the
handshake, the sender is expected to send the subject certificate and any
intermediate CA certificates needed to link the subject certificate to the trusted
root. For certificate chaining to work properly the certificates should have the
following properties:
•
CA certificates must have either the
basicConstraints
extension, the
netscape-cert-type
extension with one or more CA bits set, or both, as
described above.
•
If CAs issue multiple certificates for the same identity, for example for separate
signing and encryption keys, they must include the
keyUsage
extension in the
subject certificates.
•
If CAs ever intend to generate new keys for their CA, they must add the
authorityKeyIdentifier
extension to all subject certificates. If the
key ID
is
anything other than the SHA-1 hash of the CA certificates
subjectPublicKeyInfo
field, then the CA certificate should contain the
subjectKeyIdentifier
extension. This will allow for a smooth transition
when the new issuing certificate becomes active.
Neither extension
The certificate is not a CA.
Both extensions
The certificate is a CA certificate if the
cA
component of
basicConstraints
is true. If one or more of the SSL CA
(5), S/MIME CA (6), or object-signing CA (7) bits are set in
the
netscape-cert-type
extension, then the CA will be
limited to issuing certificates for the specified application
areas; otherwise, the CA can issue certificates for any
application.
Extensions Present
Description
Содержание Certificate Management System 6.0
Страница 1: ...Plug Ins Guide Netscape Certificate Management System Version6 0 March 2002...
Страница 10: ...10 Netscape Certificate Management System Plug Ins Guide March 2002...
Страница 62: ...Enrollment Forms 62 Netscape Certificate Management System Plug Ins Guide March 2002...
Страница 126: ...ValidityConstraints Plug in Module 126 Netscape Certificate Management System Plug Ins Guide March 2002...
Страница 266: ...LdapSubjAttrMap Plug in Module 266 Netscape Certificate Management System Plug Ins Guide March 2002...
Страница 308: ...NTEventLog Plug in Module 308 Netscape Certificate Management System Plug Ins Guide March 2002...
Страница 324: ...DNs in Certificate Management System 324 Netscape Certificate Management System Plug Ins Guide March 2002...
Страница 370: ...CA Certificates and Extension Interactions 370 Netscape Certificate Management System Plug Ins Guide March 2002...