This topic provides a detailed list of which certificate fields are checked by PKI Services Manager, and what requirements must be met for a certificate to be accepted as valid.
The following version 1 fields MUST all contain valid data.
Field |
Validation information for this field and its attributes |
---|---|
Version |
Version 3 is required for user or server certificates. The version accepted for CA certificates is configurable (on the AllowVers1 keyword), but by default version 1 certificates are rejected. pane or using the |
Serial number |
Used in combination with Issuer to identify this certificate for revocation checking. |
Issuer |
Used to build the chain of trust for this certificate. -and- Used in combination with Serial number to identify this certificate for revocation checking. |
Subject |
The CN attribute is used to determine the identity of the entity presenting this certificate. (Note: In some certificates, the Subject Alternate Name extension is used as an alternate method of specifying identity.) |
Valid from Valid to |
Used to determine if the certificate is within the valid time period. |
Signature algorithm Signature hash algorithm |
Provides information required to decrypt the certificate's signature. |
Public key |
Used to decrypt the digital signatures provided by the certificate owner. |
Certificate Authority (CA) certificates must meet the following version 3 extension requirements in addition to the version 1 requirements listed in Requirements for All Certificates.
Field |
Validation information for this field and its attributes |
---|---|
Basic Constraints |
MUST be set as a critical extension. Subject type MUST be set to CA. Path Length Constraint is not required. If present, it will be used to check the length of the chain. |
Key Usage |
MUST be present. May be set as a critical extension. MUST include Certificate signing. May also include CRL signing, Off-line CRL Signing, Digital Signature. (These attributes may be required if the CA server also issues CRLs or OCSP responses.) |
Authority Information Access |
Not required. If present, it can be used to retrieve the issuer certificate and/or determine OCSP responder servers. |
CRL Distribution Points |
Not required. If present, it can be used to retrieve CRLs. |
Certificate Policies |
Not required. May contain one or more policy OIDs, which, if present, must also be present in the Certificate Policies field of other certificates up and down the chain of trust. |
Certificates used to authenticate SSL, TLS, and FTPS servers must meet the following version 3 extension requirements in addition to the version 1 requirements listed in Requirements for All Certificates.
Field |
Validation information for this field and its attributes |
---|---|
Key Usage |
May be present, but not required. If present: MUST include Digital Signature and Key Encipherment. May also include Non Repudiation, Data Encipherment and others, but these are ignored. |
Extended Key Usage (Enhanced Key Usage is an equivalent name.) |
May be present, but not required. If present: MUST include Server authentication. |
Authority Information Access |
Not required. If present, it can be used to retrieve the issuer certificate and/or determine OCSP responder servers. |
CRL Distribution Points |
Not required. If present, it can be used to retrieve CRLs. |
Certificate Policies |
Not required. May contain one or more policy OIDs, which, if present, must also be present in the Certificate Policies field of other certificates up the chain of trust. |
Subject Alternative Name |
Not required. May be used to determine alternate names for the server presenting the certificate using either the dNSName or iPAddress attributes. |
Certificates used to authenticate Secure Shell (SSH) and SFTP servers must meet the following version 3 extension requirements in addition to the version 1 requirements listed in Requirements for All Certificates.
Field |
Validation information for this field and its attributes |
---|---|
Key Usage |
May be present, but not required. If present: MUST include Digital Signature and Key Encipherment. May also include Non Repudiation, Data Encipherment and others, but these are ignored. |
Extended Key Usage (Enhanced Key Usage is an equivalent name.) |
|
Authority Information Access |
Not required. If present, it can be used to retrieve the issuer certificate and/or determine OCSP responder servers. |
CRL Distribution Points |
Not required. If present, it can be used to retrieve CRLs. |
Certificate Policies |
Not required. May contain one or more policy OIDs, which, if present, must also be present in the Certificate Policies field of other certificates up the chain of trust. |
Subject Alternative Name |
Not required. May be used to determine alternate names for the server presenting the certificate using either the dNSName or iPAddress attributes. |
Certificates used to authenticate client users must meet the following version 3 extension requirements in addition to the version 1 requirements listed in Requirements for All Certificates.
Field |
Validation information for this field and its attributes |
---|---|
Key Usage |
May be present, but not required. If present: MUST include Digital Signature and Key Encipherment. May also include Non Repudiation, Data Encipherment and others, but these are ignored. |
Extended Key Usage (Enhanced Key Usage is an equivalent name.) |
|
Authority Information Access |
Not required. If present, it can be used to retrieve the issuer certificate and/or determine OCSP responder servers. |
CRL Distribution Points |
Not required. If present, it can be used to retrieve CRLs. |
Certificate Policies |
Not required. May contain one or more policy OIDs, which, if present, must also be present in the Certificate Policies field of other certificates up the chain of trust. |
Subject Alternative Name |
Not required. May be used to determine alternate names for the user presenting the certificate using the rfc822Name or otherName attributes. |