In order to promote interoperability this policy strongly encourages conforming CA to issue certificates profiling them accordingly to RFC 2459. In every case CPS MUST detail the specific profile adopted.
The version field in the certificate SHALL state 2, indicating X.509v3 certificates.
In compliance with RFC 2459, the inclusion of the following certificate extensions is RECOMMENDED:
| subjectKeyIdentifier | NOT CRITICAL |
| authorityKeyIdentifier | NOT CRITICAL |
| basicConstraints | CRITICAL |
| keyUsage | CRITICAL |
| certificatePolicies | NOT CRITICAL |
The use of other two extensions is also RECOMMENDED: cRLDistributionPoint for providing information useful to retrieve the CRL, and subjectAltNames when there is the need to include an RFC822 e-mail address or a DNS host name to a certificate. Both these two extensions SHOULD be marked as NOT CRITICAL.
No stipulation.
All related issues MUST be specified in the CPS.
All related issues MUST be specified in the CPS.
Other certificate policy object identifiers are applicable if and only if the other policies identified are compliant with this policy. Conforming CA MUST contact the maintainers of the various policies to verify the level of mutual compliance. However in order to promote interoperability, following RFC 2459, this policy suggests to include only one certificate policy object identifier in a certificate.
All related issues MUST be specified in the CPS.
The Certificate Policies extension field has a provision for conveying, along with each certificate policy identifier, additional policy-dependent information in a qualifier field. The certificates issued under this CP SHOULD NOT use the policy qualifiers.
The version field in the certificate SHALL be omitted, indicating X.509v1 CRL.
Not applicable.