7. CERTIFICATE AND CRL PROFILES
Prev   Next

 7. CERTIFICATE AND CRL PROFILES

7.1. Certificate Profile

The certificate profile described in this subcomponent can be overridden by the requirements stated in the relevant CP.

The certificates issued in accordance with this CPS SHOULD follow the RFC 3280 and the PKIX profiles.

7.1.1. Version number(s)

Certificates issued under this CPS are X.509 version 3 certificates. The version field in certificates MUST be set to 0x2 to indicate this.

7.1.2. Certificate extensions

This CPS allows using the extensions defined in PKI RFCs and some major vendor extensions. The typical certificate SHOULD populate following extensions:

7.1.2.1. Basic Constraints

CRITICAL

Set to TRUE in CA certificates.

7.1.2.2. Key Usage

CRITICAL

For CA certificates the bits keyCertSign and cRLSign SHOULD be set to one.

For personal certificates the keyUsage extension is set according to the relevant CP.

For server certificates the keyUsage extension is set according to the relevant CP.

7.1.2.3. Subject Key Identifier

Unique identifier of the subject key according to RFC 3280.

The subjectKeyIdentifier extension is non-critical.

7.1.2.4. Authority Key Identifier

Unique identifier of the issuer key according to RFC 3280.

The authorityKeyIdentifier extension is non-critical.

7.1.2.5. Subject Alternative Name

The subjectAltName extension SHOULD contain names provided by the subscriber in the formats specified in RFC 3280.

The subjectAltName extension is non-critical.

7.1.2.6. CRL Distribution Points

URIs of the current CRL.

The cRLDistributionPoint extension is non-critical.

7.1.2.7. Certificate Policies

The OID of the relevant CP without any qualifiers.

The certificatePolicies extension is non-critical.

7.1.3. Algorithm object identifiers

The CESNET CA issues certificates using following algorithms:

7.1.3.1. Signature algorithms

sha-1WithRSAEncryption
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5 }

7.1.3.2. Subject public key algorithms

rsaEncryption
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 }

7.1.4. Name forms

See Section 3.1.1.

7.1.5. Name constraints

No stipulation.

7.1.6. Certificate policy Object Identifier

The certificates issued under this CPS SHOULD populate the the certificatePolicies extension with the OID of the relevant CP without any qualifiers.

7.1.7. Usage of Policy Constraints extension

No stipulation.

7.1.8. Policy qualifiers syntax and semantics

The certificates issued under this CPS SHOULD NOT use the policy qualifiers.

7.1.9. Processing semantics for the critical certificate policy extension

No stipulation.

7.2. CRL Profile

7.2.1. Version number(s)

CRLs issued by the CESNET CA are version X.509 version2 CRLs. This is indicated by setting the version field in the CRL to value of 1.

7.2.2. CRL and CRL entry extensions

Following CRL and CRL entry extensions are used:

7.2.2.1. Authority Key Identifier

Unique identifier of the issuer key according to RFC 3280.

The authorityKeyIdentifier extension is non-critical.

7.2.2.2. CRL Number

Monotonically increasing sequence number for each CRL issued by the CA according to RFC 3280.

The cRLNumber extension is non-critical.

7.2.2.3. CRL Reason Code

The revocation reason code as specified in RFC 3280.

The reasonCode CRL entry extension is non-critical.

Prev   Next
 6. TECHNICAL SECURITY CONTROLS Home  8. SPECIFICATION ADMINISTRATION