|[Front page] [Index]|
The Extension subsection shows all extension fields present in the certification request. Existing fields can be modified like any other request data and additional extensions can be added by selecting an extension from the drop-down list and clicking the Add button. An existing extension can be removed from the request by clicking Remove next to the extension field.
The extensions recognized by SSH Tectia Certifier are described below.
Email subject alternative name. Multiple values are allowed.
- IP Address (IP)
- Universal Resource Identifier (URI)
URI subject alternative name. Multiple values are allowed. The URI must be non-relative (for example,
- Domain Name (DNS)
- Registered ID (RID)
RID contains an OID as a value, for example,
188.8.131.52.32.568.64.23is a valid OID. Multiple values are allowed.
- User Principal Name (UPN)
UPN subject alternative name. This extension is required, for example, for Windows 2000 smart card logon.
- Directory Name
- Policy Info
This field contains information about the applicability of the certificate for various uses and certification practices of the issuing CA. If this extension is set as critical (from the drop-down list), the client application handling the certificate must not use the certificate unless it is familiar with the extension. If this extension is set as non-critical, a client application may use the certificate even if it does not recognize the extension.
Click the Edit button to edit the policy information extension. The extension needs to have an object identifier (OID), which is registered for the certificate policy. Additionally, the extension may contain a user notice and a certification practice statement (CPS) URI. The CPS URI field can give, for example, the location where the written certificate policy can be found with a web browser.
The user notice is intended to be displayed to a client when the certificate is being used. The textual statement needs to be written to the Explicit text field. The Organization field can be given name of the organization giving the statement and Reference List the number that identifies the statement. Click the Add User Notice and Add CPS URI buttons to add optional policy fields.
- Authority Access
This extension can be used to indicate how to access the CA information and CA services (other than CRLs). The authority access may contain either information about CAs that have issued certificates superior to the CA that issued the certificate containing this extension, or location of the OCSP service.
The first drop-down menu is used to select which one of these is being used, caIssuers or ocsp.
The second drop-down menu identifies the way how this information is provided, URI, DN or Email are the options.
When authority access is being used to locate the OCSP responder, HTTP URL of the responder service should be given Authority Access field.
- Basic Constraints
Present only in CA certificates. If the CA flag is set, it indicates that this is a CA certificate. The path length constraint is optional and can be removed selecting unlimited from the drop-down list. To remove the Basic Constraints extension, click the Remove button.
If the path length constraint is present, it indicates the maximum number of certificates that can follow that particular CA certificate in the certification path. This means that a CA with a path length of zero cannot issue any sub-CA certificates at all, and a CA with a path length of one can issue only CA certificates with a path length of zero, and so on. A CA certificate with no path length constraint allows a certification path of unrestricted length underneath it.
- Key Usage
- Digital Signature
- Non Repudiation
- Key Encipherment
- Data Encipherment
- Key Agreement
- Key Cert Sign
- CRL Sign
Set when the key is used to sign CRL information. Only CA certificates can have this bit set.
- Encipher Only
- Decipher Only
Note that not all bit combinations are valid. Such factors as if the certificate is a CA certificate or the key type affect the possible combinations. The system automatically ensures that only certificates with valid key usage extensions are issued.
- Extended Key Usage
Extended key usage, unlike the key usage above, is a list of OIDs representing different key usage constraints.
Used with IKE.
The certficate is used for signing OCSP responses.
Used for Windows 2000 smart card logon.
- Custom Extended Key Usage OID
A custom extended key usage, given as an OID in a text box.
- Netscape Comment
Extension displayed by Netscape, given as a text string.
- Subject directory attribute
The various subject directory attribute extensions contain information on the certificate user. The information can be entered in a text field.
The user's title (free text).
The user's date of birth. The time format depends on the operator-specific settings. See Section Editing the Operator Information.
The user's place of birth (free text).
The user's gender (
The user's citizenship. Should be given as an ISO 3166-1-Alpha-2 country code (for example,
The user's country of residence. Should be given as an ISO 3166-1-Alpha-2 country code (for example,
- Qualified Certificate Statement
Qualified Certificate (QC) statement as per RFC 3039. The extension can have one of five values that are set on Edit Qualified Certificate Statement page. Several QC extensions can be added, each with different value.
- PKIX QC Syntax v1
Indicates conformance with Qualified Certificate profile as specified in RFC 3039. The extension can either have No content, contain a Semantics Identifier OID, or contain information on Name registration authorities (an URI, a Directory Name, or an Email address).
- QC EU Compliance
Indicates compliance with the EU directives on Qualified Certificates.
- Monetary Limit
Imposes a limitation on the value of transaction for which the certificate can be used. The Currency code and the Amount need to be entered in text boxes. The currency code should be given as an ISO 4217 three-letter code (for example,
- Retention Period
Indicates a period (in years) after the expiry of the certificate for which information related to the certificate is archived.
- Custom Statement
A custom QC statement extension consists of an OID and the extension (in DER-encoded hexadecimal format).
- PKIX QC Syntax v1
- Custom Binary Extension
A custom binary extension consists of an OID and the extension data (in hexadecimal format). If this extension is set as critical (from the drop-down list), the client application handling the certificate must not use the certificate unless it is familiar with the extension. If this extension is set as non-critical, a client application may use the certificate even if it does not recognize the extension.
[Front page] [Index]