PreviousNextUp[Front page] [Index]

Certificate Extension Fields

The Extension subsection shows all extension fields present in the certification request. Existing fields can be modified like any other request data and additional extensions can be added by selecting an extension from the drop-down list and clicking the Add button. An existing extension can be removed from the request by clicking Remove next to the extension field.

The extensions recognized by SSH Tectia Certifier are described below.

  • Email

    Email subject alternative name. Multiple values are allowed.

  • IP Address (IP)

    IP address subject alternative name. Multiple values are allowed. At the moment this field can only contain IPv4 addresses in dotted octet format (for example, 134.23.54.102).

  • Universal Resource Identifier (URI)

    URI subject alternative name. Multiple values are allowed. The URI must be non-relative (for example, http://www.ssh.com).

  • Domain Name (DNS)

    DNS subject alternative name. Multiple values are allowed.

  • Registered ID (RID)

    RID contains an OID as a value, for example, 2.5.223.67.32.568.64.23 is a valid OID. Multiple values are allowed.

  • User Principal Name (UPN)

    UPN subject alternative name. This extension is required, for example, for Windows 2000 smart card logon.

  • Directory Name

    Another distinguished name in addition to the subject name can be stored here. Multiple directory names are allowed.

  • Policy Info

    This field contains information about the applicability of the certificate for various uses and certification practices of the issuing CA. If this extension is set as critical (from the drop-down list), the client application handling the certificate must not use the certificate unless it is familiar with the extension. If this extension is set as non-critical, a client application may use the certificate even if it does not recognize the extension.

    Click the Edit button to edit the policy information extension. The extension needs to have an object identifier (OID), which is registered for the certificate policy. Additionally, the extension may contain a user notice and a certification practice statement (CPS) URI. The CPS URI field can give, for example, the location where the written certificate policy can be found with a web browser.

    The user notice is intended to be displayed to a client when the certificate is being used. The textual statement needs to be written to the Explicit text field. The Organization field can be given name of the organization giving the statement and Reference List the number that identifies the statement. Click the Add User Notice and Add CPS URI buttons to add optional policy fields.

  • Authority Access

    This extension can be used to indicate how to access the CA information and CA services (other than CRLs). The authority access may contain either information about CAs that have issued certificates superior to the CA that issued the certificate containing this extension, or location of the OCSP service.

    The first drop-down menu is used to select which one of these is being used, caIssuers or ocsp.

    The second drop-down menu identifies the way how this information is provided, URI, DN or Email are the options.

    When authority access is being used to locate the OCSP responder, HTTP URL of the responder service should be given Authority Access field.

  • Basic Constraints

    Present only in CA certificates. If the CA flag is set, it indicates that this is a CA certificate. The path length constraint is optional and can be removed selecting unlimited from the drop-down list. To remove the Basic Constraints extension, click the Remove button.

    If the path length constraint is present, it indicates the maximum number of certificates that can follow that particular CA certificate in the certification path. This means that a CA with a path length of zero cannot issue any sub-CA certificates at all, and a CA with a path length of one can issue only CA certificates with a path length of zero, and so on. A CA certificate with no path length constraint allows a certification path of unrestricted length underneath it.

  • Key Usage

    The key usage extension is a bit field with a number of named bit values.

    • Digital Signature

      Set when the public key is used for digital signatures for other purposes than non-repudiation, certificate signing, or CRL signing.

    • Non Repudiation

      Set when the public key is used to provide a non-repudiation service.

    • Key Encipherment

      Set when the key is used for key transport/management.

    • Data Encipherment

      Set when the key is used to encipher data not consisting of cryptographic keys.

    • Key Agreement

      Set when the key is used in key agreement.

    • Key Cert Sign

      Set when the key is used to verify signatures on certificates. Only CA certificates can have this bit set.

    • CRL Sign

      Set when the key is used to sign CRL information. Only CA certificates can have this bit set.

    • Encipher Only

      If the key agreement bit is set, the key can only be used to encipher data in key agreement procedure.

    • Decipher Only

      If the key agreement bit is set, the key can only be used to decipher data in key agreement procedure.

    Note that not all bit combinations are valid. Such factors as if the certificate is a CA certificate or the key type affect the possible combinations. The system automatically ensures that only certificates with valid key usage extensions are issued.

  • Extended Key Usage

    Extended key usage, unlike the key usage above, is a list of OIDs representing different key usage constraints.

    • ekuServerAuth

      The certificate is used in TLS server authentication.

    • ekuClientAuth

      The certificate is used in TLS client authentication.

    • ekuCodeSigning

      Signing of downloadable executable code.

    • ekuTimeStamping

      Used in time stamping services.

    • ekuEmailProtection

      Used for protecting e-mail messages.

    • ekuIkeIntermediate

      Used with IKE.

    • ekuOCSPSigning

      The certficate is used for signing OCSP responses.

    • ekuSmartCardLogon

      Used for Windows 2000 smart card logon.

  • Custom Extended Key Usage OID

    A custom extended key usage, given as an OID in a text box.

  • Netscape Comment

    Extension displayed by Netscape, given as a text string.

  • Subject directory attribute

    The various subject directory attribute extensions contain information on the certificate user. The information can be entered in a text field.

    • title

      The user's title (free text).

    • dateOfBirth

      The user's date of birth. The time format depends on the operator-specific settings. See Section Editing the Operator Information.

    • placeOfBirth

      The user's place of birth (free text).

    • gender

      The user's gender (M or F).

    • countryOfCitizenship

      The user's citizenship. Should be given as an ISO 3166-1-Alpha-2 country code (for example, FI).

    • countryOfResidence

      The user's country of residence. Should be given as an ISO 3166-1-Alpha-2 country code (for example, US).

  • Qualified Certificate Statement

    Qualified Certificate (QC) statement as per RFC 3039. The extension can have one of five values that are set on Edit Qualified Certificate Statement page. Several QC extensions can be added, each with different value.

    • PKIX QC Syntax v1

      Indicates conformance with Qualified Certificate profile as specified in RFC 3039. The extension can either have No content, contain a Semantics Identifier OID, or contain information on Name registration authorities (an URI, a Directory Name, or an Email address).

    • QC EU Compliance

      Indicates compliance with the EU directives on Qualified Certificates.

    • Monetary Limit

      Imposes a limitation on the value of transaction for which the certificate can be used. The Currency code and the Amount need to be entered in text boxes. The currency code should be given as an ISO 4217 three-letter code (for example, USD).

    • Retention Period

      Indicates a period (in years) after the expiry of the certificate for which information related to the certificate is archived.

    • Custom Statement

      A custom QC statement extension consists of an OID and the extension (in DER-encoded hexadecimal format).

  • Custom Binary Extension

    A custom binary extension consists of an OID and the extension data (in hexadecimal format). If this extension is set as critical (from the drop-down list), the client application handling the certificate must not use the certificate unless it is familiar with the extension. If this extension is set as non-critical, a client application may use the certificate even if it does not recognize the extension.


PreviousNextUp[Front page] [Index]