The certificate profile described in this subcomponent can be overridden by the requirements stated in the relevant CP.
The certificates issued in accordance with this CPS SHOULD follow the RFC 2459 and the PKIX profiles.
Certificates issued under this CPS are X.509 version 3 certificates. The version field in certificates MUST be set to 0x2 to indicate this.
This CPS allows using the extensions defined in PKI RFCs and some major vendor extensions. The typical certificate SHOULD populate following extensions:
CRITICAL
For CA certificates the bits digitalSignature, nonRepudiation, keyCertSign, and cRLSign SHOULD be set to one.
For personal certificates the bits digitalSignature, nonRepudiation, keyEncipherment, and dataEncipherment SHOULD be set to one.
For server certificates the bits digitalSignature, nonRepudiation SHOULD be set to one.
Unique identifier of the subject key according to RFC 2459.
Unique identifier of the issuer key according to RFC 2459.
SHOULD contain e-mail address of the subject, when provided. This extension is mandatory for certificates indicating S/MIME key usage.
Subject Alternative Name SHOULD be contain server DNS names in server certificates.
The URI of the current CRL.
The OID of the relevant CP without any qualifiers.
The CESNET CA issues certificates using following algorithms:
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 4 }
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5 }
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 }
{ iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 }
No stipulation.
The certificates issued under this CPS SHOULD populate the the certificatePolicies extension with the OID of the relevant CP without any qualifiers.
No stipulation.
The certificates issued under this CPS SHOULD NOT use the policy qualifiers.
CRLs issued by the CESNET CA are version X.509 version1 CRLs. This is indicated by omitting the version field in the CRL.
No CRL or CRL entry extensions are used.