The certificate profile described in this subcomponent can be overridden by the requirements stated in the relevant CP.
The certificates issued in accordance with this CPS SHOULD follow the RFC 3280 and the PKIX profiles.
Certificates issued under this CPS are X.509 version 3
certificates. The version
field in certificates MUST
be set to 0x2 to indicate this.
This CPS allows using the extensions defined in PKI RFCs and some major vendor extensions. The typical certificate SHOULD populate following extensions:
CRITICAL
For CA certificates the bits keyCertSign
and
cRLSign
SHOULD be set to one.
For personal certificates the keyUsage
extension
is set according to the relevant CP.
For server certificates the keyUsage
extension
is set according to the relevant CP.
Unique identifier of the subject key according to RFC 3280.
The subjectKeyIdentifier
extension is
non-critical.
Unique identifier of the issuer key according to RFC 3280.
The authorityKeyIdentifier
extension is
non-critical.
The subjectAltName
extension SHOULD contain
names provided by the subscriber in the formats specified in RFC 3280.
The subjectAltName
extension is
non-critical.
URIs of the current CRL.
The cRLDistributionPoint
extension is
non-critical.
The CESNET CA issues certificates using following algorithms:
sha-1WithRSAEncryption
See Section 3.1.1.
The certificates issued under this CPS SHOULD populate the the
certificatePolicies
extension with the OID of the
relevant CP without any qualifiers.
The certificates issued under this CPS SHOULD NOT use the policy qualifiers.
CRLs issued by the CESNET CA are version X.509 version2 CRLs. This is
indicated by setting the version
field in the
CRL to value of 1.
Following CRL and CRL entry extensions are used:
Unique identifier of the issuer key according to RFC 3280.
The authorityKeyIdentifier
extension is
non-critical.
Monotonically increasing sequence number for each CRL issued by the CA according to RFC 3280.
The cRLNumber
extension is
non-critical.
The revocation reason code as specified in RFC 3280.
The reasonCode
CRL entry extension is
non-critical.