Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs

This appendix explains both the standard certificate extensions defined by X.509 v3 and the extensions defined by Netscape that were used in versions of products released before X.509 v3 was finalized. It provides recommendations for extensions to use with specific kinds of certificates, including PKIX Part 1 recommendations.

Important

This appendix is a reference for defaults, constraints, and certificate and CRL extensions that are used or are configurable in Red Hat Certificate System. For a complete reference and explanation of certificate and CRL extensions, see RFC 3280.
This appendix contains the following sections:

B.1. Defaults Reference

Defaults are used to define the contents of a certificate. This section lists and defines the predefined defaults.

B.1.1. Authority Info Access Extension Default

This default attaches the Authority Info Access extension. This extension specifies how an application validating a certificate can access information, such as online validation services and CA policy data, about the CA that has issued the certificate. This extension should not be used to point directly to the CRL location maintained by a CA; the CRL Distribution Points extension, Section B.1.7, “CRL Distribution Points Extension Default”, provides references to CRL locations.
For general information about this extension, see Section B.3.1, “authorityInfoAccess”.
The following constraints can be defined with this default:
This default can define up to five locations, with parameters for each location. The parameters are marked with an n in the table to show with which location the parameter is associated.

Table B.1. Authority Info Access Extension Default Configuration Parameters

Parameter Description
Critical Select true to mark this extension critical; select false to mark the extension noncritical.
Method_n
Specifies the access method for retrieving additional information about the CA that has issued the certificate in which the extension appears. This is one of the following values:
  • ocsp (1.3.6.1.5.5.7.48.1).
  • caIssuers (1.3.6.1.5.5.7.48.2)
  • renewal (2.16.840.1.113730.16.1)
LocationType_n Specifies the general name type for the location that contains additional information about the CA that has issued the certificate. This is one of the following types:
  • DirectoryName
  • DNSName
  • EDIPartyName
  • IPAddress
  • OID
  • RFC822Name
  • URIName
Location_n
Specifies the address or location to get additional information about the CA that has issued the certificate.
  • For directoryName, the value must be a string form of X.500 name, similar to the subject name in a certificate. For example, cn=SubCA, ou=Research Dept, o=Example Corporation, c=US.
  • For dNSName, the value must be a valid fully-qualified domain name. For example, testCA.example.com.
  • For EDIPartyName, the value must be an IA5String. For example, Example Corporation.
  • For iPAddress, the value must be a valid IP address. An IPv4 address must be in the format n.n.n.n or n.n.n.n,m.m.m.m. For example, 128.21.39.40 or 128.21.39.40,255.255.255.00. An IPv6 address uses a 128-bit namespace, with the IPv6 address separated by colons and the netmask separated by periods. For example, 0:0:0:0:0:0:13.1.68.3, FF01::43, 0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:255.255.255.0, and FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000.
  • For OID, the value must be a unique, valid OID specified in dot-separated numeric component notation. For example, 1.2.3.4.55.6.5.99.
  • For RFC822Name, the value must be a valid Internet mail address.
  • For URIName, the value must be a non-relative universal resource identifier (URI) following the URL syntax and encoding rules. The name must include both a scheme, such as http, and a fully-qualified domain name or IP address of the host. For example, http://ocspResponder.example.com:8000. Certificate System allows both IPv4 and IPv6 IP addresses.
Enable_n Specifies whether this location is enabled. Select true to mark this as set; select false to disable it.

B.1.2. Authority Key Identifier Extension Default

This default attaches the Authority Key Identifier extension to the certificate. The extension identifies the public key that corresponds to the private key used by a CA to sign certificates. This default has no parameters. If used, this extension is included in the certificate with the public key information.
This default takes the following constraint:
For general information about this extension, see Section B.3.2, “authorityKeyIdentifier”.

B.1.3. Authentication Token Subject Name Default

This profile default populates subject names based on the attribute values in the authentication token (AuthToken) object.
This default plug-in works with the directory-based authentication manager. The Directory-Based User Dual-Use Certificate Enrollment certificate profile has two input parameters, UID and password. The directory-based authentication manager checks if the given UID and password are correct.
In addition, the directory-based authentication manager formulates the subject name of the issuing certificate. It forms the subject name by using the user's DN value from AuthToken.
This default is responsible for reading the subject name from the AuthToken and placing it in the certificate request so that the final certificate contains the subject name.
The following constraints can be defined with this default:

B.1.4. Basic Constraints Extension Default

This default attaches the Basic Constraint extension to the certificate. The extension identifies whether the Certificate Manager is a CA. The extension is also used during the certificate chain verification process to identify CA certificates and to apply certificate chain-path length constraints.
For general information about this extension, see Section B.3.3, “basicConstraints”.
The following constraints can be defined with this default:

Table B.2. Basic Constraints Extension Default Configuration Parameters

Parameter Description
Critical Select true to mark this extension critical; select false to mark the extension noncritical.
IsCA Specifies whether the certificate subject is a CA. With true, the server checks the PathLen parameter and sets the specified path length in the certificate. With false, the server treats the certificate subject as a non-CA and ignores the value specified for the PathLen parameter.
PathLen
Specifies the path length, the maximum number of CA certificates that may be chained below (subordinate to) the subordinate CA certificate being issued. The path length affects the number of CA certificates to be used during certificate validation. The chain starts with the end-entity certificate being validated and moves up.
The maxPathLen parameter has no effect if the extension is set in end-entity certificates.
The permissible values are 0 or n. The value should be less than the path length specified in the Basic Constraints extension of the CA signing certificate. 0 specifies that no subordinate CA certificates are allowed below the subordinate CA certificate; only an end-entity certificate may follow in the path. n must be an integer greater than zero. It specifies the maximum number of subordinate CA certificates allowed below the subordinate CA certificate.
If the field is blank, the path length defaults to a value that is determined by the path length set in the Basic Constraints extension in the issuer's certificate. If the issuer's path length is unlimited, the path length in the subordinate CA certificate will also be unlimited. If the issuer's path length is an integer greater than zero, the path length in the subordinate CA certificate will be set to a value that is one less than the issuer's path length; for example, if the issuer's path length is 4, the path length in the subordinate CA certificate will be set to 3.

B.1.5. CA Validity Default

This default adds an option to a CA certificate enrollment or renewal profile to bypass the CA's signing certificate's expiration constraint. This means that the issued CA certificate can have an expiration date that is later than the issuing CA signing certificate expiration date.
The following constraints can be defined with this default:

Table B.3. CA Validity Default Parameters

Parameter Description
bypassCAnotafterrange Sets the default value for whether a requesting CA can request a certificate whose validity period extends past the issuing CA's validity period.
range Specifies the absolute validity period for this certificate, in the number of days.
startTime Sets when the validity period begins, based on the current time.

B.1.6. Certificate Policies Extension Default

This default attaches the Certificate Policy Mappings extension into the certificate template. This extension defines one or more policies, indicating the policy under which the certificate has been issued and the purposes for which the certificate may be used. This default defines up to five policies, but this can be value can be changed.
For general information about this extension, see Section B.3.4, “certificatePoliciesExt”

Table B.4. Certificate Policies Extension Default Configuration Parameters

Parameter Description
Critical Select true to mark this extension critical; select false to mark the extension noncritical.
numCertPolicies Specifies the number of policies that can be defined. The default is 5.
enable Select true to enable the policy; select false to disable the policy.
policyId Specifies the OID identifier for the policy.
cpsURI.enable The extension can include a URI to the issuer's Certificate Practice Statement. Select true to enable URI; select false to disable URI.
CPSURI.value This value is a pointer to a Certification Practice Statement (CPS) published by the CA. The pointer is in the form of a URI.
usernotice.enable The extension can include a URI to the issuer's Certificate Practice Statement or can embed issuer information, such as a user notice in text form. Select true to enable user notices; select false to disable the user notices.
usernotice.noticeReference.noticeNumbers This optional user notice parameter is a sequence of numbers that points to messages stored elsewhere.
usernotice.noticeReference.organization This optional user notice parameter specifies the name of the company.
usernotice.explicitText.value This optional user notice parameter contains the message within the certificate.

B.1.7. CRL Distribution Points Extension Default

This default attaches the CRL Distribution Points extension to the certificate. This extension identifies locations from which an application that is validating the certificate can obtain the CRL information to verify the revocation status of the certificate.
For general information about this extension, see Section B.3.5, “CRLDistributionPoints”.
The following constraints can be defined with this default:
This default defines up to five locations, with parameters for each location. The parameters are marked with an n in the table to show with which location the parameter is associated.

Table B.5. CRL Distribution Points Extension Configuration Parameters

Parameter Description
Critical Select true to mark this extension critical; select false to mark the extension noncritical.
Type_n Specifies the type of CRL distribution point. The permissible values are DirectoryName, URIName, or RelativeToIssuer. The type must correspond to the value in the Name field.
Name_n
Specifies the name of the CRL distribution point, the name can be in any of the following formats:
  • An X.500 directory name in the RFC 2253 syntax. The name looks similar to the subject name in a certificate, like cn=CA Central, ou=Research Dept, o=Example Corporation, c=US.
  • A URIName, such as http://testCA.example.com:80.
  • An RDN which specifies a location relative to the CRL issuer. In this case, the value of the Type attribute must be RelativeToIssuer.
Reasons_n
Specifies revocation reasons covered by the CRL maintained at the distribution point. Provide a comma-separated list of the following constants:
  • unused
  • keyCompromise
  • cACompromise
  • affiliationChanged
  • superseded
  • cessationOfOperation
  • certificateHold
IssuerType_n
Specifies the naming type of the issuer that has signed the CRL maintained at the distribution point. The issuer name can be in any of the following formats:
  • RFC822Name
  • DirectoryName
  • DNSName
  • EDIPartyName
  • URIName
  • IPAddress
  • OIDName
  • OtherName
IssuerName_n
Specifies the name format of the CRL issuer that signed the CRL. The permissible values are as follows:
  • For RFC822Name, the value must be a valid Internet mail address. For example, testCA@example.com.
  • For DirectoryName, the value must be a string form of X.500 name, similar to the subject name in a certificate. For example, cn=SubCA, ou=Research Dept, o=Example Corporation, c=US.
  • For DNSName, the value must be a valid fully-qualified domain name. For example, testCA.example.com.
  • For EDIPartyName, the value must be an IA5String. For example, Example Corporation.
  • For URIName, the value must be a non-relative URI following the URL syntax and encoding rules. The name must include both a scheme, such as http, and a fully qualified domain name or IP address of the host. For example, http://testCA.example.com. Certificate System supports both IPv4 and IPv6 addresses.
  • For IPAddress, the value must be a valid IP address. An IPv4 address must be in the format n.n.n.n or n.n.n.n,m.m.m.m. For example, 128.21.39.40 or 128.21.39.40,255.255.255.00. An IPv6 address uses a 128-bit namespace, with the IPv6 address separated by colons and the netmask separated by periods. For example, 0:0:0:0:0:0:13.1.68.3, FF01::43, 0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:255.255.255.0, and FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000.
  • For OIDName, the value must be a unique, valid OID specified in dot-separated numeric component notation. For example, 1.2.3.4.55.6.5.99.
  • OtherName is used for names with any other format; this supports PrintableString, IA5String, UTF8String, BMPString, Any, and KerberosName. KerberosName has the format Realm|NameType|NameStrings, such as realm1|0|userID1,userID2.
    OtherName must have the format (type)oid,string. For example, (IA5String)1.2.3.4,MyExample.
The value for this parameter must correspond to the value in the issuerName field.

B.1.8. Extended Key Usage Extension Default

This default attaches the Extended Key Usage extension to the certificate.
For general information about this extension, see Section B.3.6, “extKeyUsage”.
The extension identifies the purposes, in addition to the basic purposes indicated in the Key Usage extension, for which the certified public key may be used. For example, if the key usage extension identifies a signing key, the Extended Key Usage extension can narrow the usage of the key for only signing OCSP responses or only Java™ applets.

Table B.6. PKIX Usage Definitions for the Extended Key Usage Extension

Usage OID
Server authentication 1.3.6.1.5.5.7.3.1
Client authentication 1.3.6.1.5.5.7.3.2
Code signing 1.3.6.1.5.5.7.3.3
Email 1.3.6.1.5.5.7.3.4
IPsec end system 1.3.6.1.5.5.7.3.5
IPsec tunnel 1.3.6.1.5.5.7.3.6
IPsec user 1.3.6.1.5.5.7.3.7
Timestamping 1.3.6.1.5.5.7.3.8
Windows 2000 can encrypt files on the hard disk, a feature known as encrypted file system (EFS), using certificates that contain the Extended Key Usage extension with the following two OIDs:
1.3.6.1.4.1.311.10.3.4 (EFS certificate)
1.3.6.1.4.1.311.10.3.4.1 (EFS recovery certificate)
The EFS recovery certificate is used by a recovery agent when a user loses the private key and the data encrypted with that key needs to be used. Certificate System supports these two OIDs and allows certificates to be issued containing the Extended Key Usage extension with these OIDs.
Normal user certificates should be created with only the EFS OID, not the recovery OID.
The following constraints can be defined with this default:

Table B.7. Extended Key Usage Extension Default Configuration Parameters

Parameter Description
Critical Select true to mark this extension critical; select false to mark the extension noncritical.
OIDs Specifies the OID that identifies a key-usage purpose. The permissible values are a unique, valid OID specified in the dot-separated numeric component notation. For example, 2.16.840.1.113730.1.99. Depending on the key-usage purposes, the OIDs can be designated by PKIX (listed in Table B.6, “PKIX Usage Definitions for the Extended Key Usage Extension”) or custom OIDs. Custom OIDs must be in the registered subtree of IDs reserved for the company's use. Although it is possible to use custom OIDs for evaluating and testing the Certificate System, in a production environment, comply with the ISO rules for defining OIDs and for registering subtrees of IDs.

B.1.9. Freshest CRL Extension Default

This default attaches the Freshest CRL extension to the certificate.
The following constraints can be defined with this default:
This default defines five locations with parameters for each location. The parameters are marked with an n in the table to show with which location the parameter is associated.

Table B.8. Freshest CRL Extension Default Configuration Parameters

Parameter Description
Critical Select true to mark this extension critical; select false to mark the extension noncritical.
PointEnable_n Select true to enable this point; select false to disable this point.
PointType_n Specifies the type of issuing point, either DirectoryName or URIName.
PointName_n
  • If pointType is set to directoryName, the value must be an X.500 name, similar to the subject name in a certificate. For example, cn=CACentral,ou=Research Dept,o=Example Corporation,c=US.
  • If pointType is set to URIName, the name must be a URI, an absolute pathname that specifies the host. For example, http://testCA.example.com/get/crls/here/.
PointIssuerName_n
Specifies the name of the issuer that has signed the CRL. The name can be in any of the following formats:
  • For RFC822Name, the value must be a valid Internet mail address. For example, testCA@example.com.
  • For DirectoryName, the value must be a string form of X.500 name, similar to the subject name in a certificate. For example, cn=SubCA, ou=Research Dept, o=Example Corporation, c=US.
  • For DNSName, the value must be a valid fully-qualified domain name. For example, testCA.example.com.
  • For EDIPartyName, the value must be an IA5String. For example, Example Corporation.
  • For URIName, the value must be a non-relative URI following the URL syntax and encoding rules. The name must include both a scheme, such as http, and a fully qualified domain name or IP address of the host. For example, http://testCA.example.com. Certificate System supports both IPv4 and IPv6 addresses.
  • For IPAddress, the value must be a valid IP address. An IPv4 address must be in the format n.n.n.n or n.n.n.n,m.m.m.m. For example, 128.21.39.40 or 128.21.39.40,255.255.255.00. An IPv6 address uses a 128-bit namespace, with the IPv6 address separated by colons and the netmask separated by periods. For example, 0:0:0:0:0:0:13.1.68.3, FF01::43, 0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:255.255.255.0, and FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000.
  • For OIDName, the value must be a unique, valid OID specified in dot-separated numeric component notation. For example, 1.2.3.4.55.6.5.99.
  • OtherName is used for names with any other format; this supports PrintableString, IA5String, UTF8String, BMPString, Any, and KerberosName. KerberosName has the format Realm|NameType|NameStrings, such as realm1|0|userID1,userID2.
    OtherName must have the format (type)oid,string. For example, (IA5String)1.2.3.4,MyExample.
The name value must comply with the format specified in PointType_.
PointType_n Specifies the general name type of the CRL issuer that signed the CRL. The permissible values are as follows:
  • RFC822Name
  • DirectoryName
  • DNSName
  • EDIPartyName
  • URIName
  • IPAddress
  • OIDName
  • OtherName
The value for this parameter must correspond to the value in the PointIssuerName field.

B.1.10. Generic Extension Default

This extension allows for the creation of a generic extension with user determined data. The default ensures the generic extension is populated correctly.

Table B.9. Generic Extension Default Configuration Parameters

Parameter Description
Critical Select true to mark this extension critical; select false to mark the extension noncritical.
genericExtOID Specifies the extensions OID identifier.
genericExtData The binary data contained within the extension.

B.1.11. Inhibit Any-Policy Extension Default

The inhibit any-policy extension can be used for certificates issued to CAs. The inhibit any-policy indicates that the special anyPolicy OID, with the value { 2 5 29 32 0 }, is not considered an explicit match for other certificate policies.

Table B.10. Inhibit Any-Policy Extension Default Configuration Parameters

Parameter Description
Critical This policy must be marked as critical. Select true to mark this extension critical; select false to mark the extension noncritical.
SkipCerts This parameter indicate the number of additional certificates that may appear in the path before any-policy is no longer allowed. A value of 1 indicates that any-policy may be processed in certificates issued by the subject of this certificate, but not in additional certificates in the path.

B.1.12. Issuer Alternative Name Extension Default

This default attaches the Issuer Alternative Name extension to the certificate. The Issuer Alternative Name extension is used to associate Internet-style identities with the certificate issuer.
The following constraints can be defined with this default:
This default defines five locations with parameters for each location. The parameters are marked with an n in the table to show with which location the parameter is associated.

Table B.11. Issuer Alternative Name Extension Default Configuration Parameters

Parameter Description
Critical Select true to mark this extension critical; select false to mark the extension noncritical.
issuerAltExtType This sets the type of name extension to be used, which can be one of the following:
  • RFC822Name
  • DirectoryName
  • DNSName
  • EDIPartyName
  • URIName
  • IPAddress
  • OIDName
issuerAltExtPattern
Specifies the request attribute value to include in the extension. The attribute value must conform to any of the supported general name types. The permissible value is a request attribute included in the certificate request.
If the server finds the attribute in the request, it sets the attribute value in the extension and adds the extension to certificates. If multiple attributes are specified and none of the attributes are present in the request, the server does not add the Issuer Alternative Name extension to certificates. If no suitable attributes can be used from the request to form the issuerAlternativeName, then literal string can be used without any token expression. For example, Certificate Authority.

B.1.13. Key Usage Extension Default

This default attaches the Key Usage extension to the certificate. The extension specifies the purposes for which the key contained in a certificate should be used, such as data signing, key encryption, or data encryption, which restricts the usage of a key pair to predetermined purposes.
For general information about this extension, see Section B.3.8, “keyUsage”.
The following constraints can be defined with this default:

Table B.12. Key Usage Extension Default Configuration Parameters

Parameter Description
Critical Select true to mark this extension critical; select false to mark the extension noncritical.
digitalSignature Specifies whether to allow signing SSL client certificates and S/MIME signing certificates. Select true to set.
nonRepudiation Specifies whether to use for S/MIME signing certificates. Select true to set.

Warning

Using this bit is controversial. Carefully consider the legal consequences of its use before setting it for any certificate.
keyEncipherment Specifies whether the public key in the subject is used to encipher private or secret keys. This is set for SSL server certificates and S/MIME encryption certificates. Select true to set.
dataEncipherment Specifies whether to set the extension when the subject's public key is used to encipher user data as opposed to key material. Select true to set.
keyAgreement Specifies whether to set the extension whenever the subject's public key is used for key agreement. Select true to set.
keyCertsign Specifies whether the public key is used to verify the signature of other certificates. This setting is used for CA certificates. Select true to set the option.
cRLSign Specifies whether to set the extension for CA signing certificates that sign CRLs. Select true to set.
encipherOnly Specifies whether to set the extension if the public key is only for encrypting data while performing key agreement. If this bit is set, keyAgreement should also be set. Select true to set.
decipherOnly Specifies whether to set the extension if the public key is only for decrypting data while performing key agreement. If this bit is set, keyAgreement should also be set. Select true to set.

B.1.14. Name Constraints Extension Default

This default attaches a Name Constraints extension to the certificate. The extension is used in CA certificates to indicate a name space within which the subject names or subject alternative names in subsequent certificates in a certificate chain should be located.
For general information about this extension, see Section B.3.9, “nameConstraints”.
The following constraints can be defined with this default:
This default defines up to five locations for both the permitted subtree and the excluded subtree and sets parameters for each location. The parameters are marked with an n in the table to show with which location the parameter is associated.

Table B.13. Name Constraints Extension Default Configuration Parameters

Parameter Description
Critical Select true to mark this extension critical; select false to mark the extension noncritical.
PermittedSubtreesn.min
Specifies the minimum number of permitted subtrees.
  • -1 specifies that the field should not be set in the extension.
  • 0 specifies that the minimum number of subtrees is zero.
  • n must be an integer that is greater than zero. It sets the minimum required number of subtrees.
PermittedSubtreesmax_n
Specifies the maximum number of permitted subtrees.
  • -1 specifies that the field should not be set in the extension.
  • 0 specifies that the maximum number of subtrees is zero.
  • n must be an integer that is greater than zero. It sets the maximum number of subtrees allowed.
PermittedSubtreeNameChoice_n Specifies the general name type for the permitted subtree to include in the extension. The permissible values are as follows:
  • RFC822Name
  • DirectoryName
  • DNSName
  • EDIPartyName
  • URIName
  • IPAddress
  • OIDName
  • OtherName
PermittedSubtreeNameValue_n
Specifies the general name value for the permitted subtree to include in the extension.
  • For RFC822Name, the value must be a valid Internet mail address. For example, testCA@example.com.
  • For DirectoryName, the value must be a string form of X.500 name, similar to the subject name in a certificate. For example, cn=SubCA, ou=Research Dept, o=Example Corporation, c=US.
  • For DNSName, the value must be a valid fully-qualified domain name. For example, testCA.example.com.
  • For EDIPartyName, the value must be an IA5String. For example, Example Corporation.
  • For URIName, the value must be a non-relative URI following the URL syntax and encoding rules. The name must include both a scheme, such as http, and a fully qualified domain name or IP address of the host. For example, http://testCA.example.com. Certificate System supports both IPv4 and IPv6 addresses.
  • For IPAddress, the value must be a valid IP address conforming to Classless Inter-Domain Routing (CIDR) notation. An IPv4 address must be in the n.n.n.n format, or n.n.n.n/m with a netmask - for example, 10.34.3.133 or 110.34.3.133/24. IPv6 addresses must also conform to CIDR notation; examples with netmasks include 2620:52:0:2203:527b:9dff:fe56:4495/64 or 2001:db8::/64.
  • For OIDName, the value must be a unique, valid OID specified in dot-separated numeric component notation. For example, 1.2.3.4.55.6.5.99.
  • OtherName is used for names with any other format; this supports PrintableString, IA5String, UTF8String, BMPString, Any, and KerberosName. KerberosName has the format Realm|NameType|NameStrings, such as realm1|0|userID1,userID2.
    OtherName must have the format (type)oid,string. For example, (IA5String)1.2.3.4,MyExample.
PermittedSubtreeEnable_n Select true to enable this permitted subtree entry.
ExcludedSubtreesn.min
Specifies the minimum number of excluded subtrees.
  • -1 specifies that the field should not be set in the extension.
  • 0 specifies that the minimum number of subtrees is zero.
  • n must be an integer that is greater than zero. This sets the minimum number of required subtrees.
ExcludedSubtreeMax_n
Specifies the maximum number of excluded subtrees.
  • -1 specifies that the field should not be set in the extension.
  • 0 specifies that the maximum number of subtrees is zero.
  • n must be an integer that is greater than zero. This sets the maximum number of allowed subtrees.
ExcludedSubtreeNameChoice_n Specifies the general name type for the excluded subtree to include in the extension. The permissible values are as follows:
  • RFC822Name
  • DirectoryName
  • DNSName
  • EDIPartyName
  • URIName
  • IPAddress
  • OIDName
  • OtherName
ExcludedSubtreeNameValue_n
Specifies the general name value for the permitted subtree to include in the extension.
  • For RFC822Name, the value must be a valid Internet mail address. For example, testCA@example.com.
  • For DirectoryName, the value must be an X.500 name, similar to the subject name in a certificate. For example, cn=SubCA, ou=Research Dept, o=Example Corporation, c=US.
  • For DNSName, the value must be a valid fully-qualified domain name. For example, testCA.example.com.
  • For EDIPartyName, the value must be an IA5String. For example, Example Corporation.
  • For URIName, the value must be a non-relative URI following the URL syntax and encoding rules. The name must include both a scheme, such as http, and a fully qualified domain name or IP address of the host. For example, http://testCA.example.com. Certificate System supports both IPv4 and IPv6 addresses.
  • For IPAddress, the value must be a valid IP address conforming to Classless Inter-Domain Routing (CIDR) notation. An IPv4 address must be in the n.n.n.n format, or n.n.n.n/m with a netmask - for example, 10.34.3.133 or 110.34.3.133/24. IPv6 addresses must also conform to CIDR notation; examples with netmasks include 2620:52:0:2203:527b:9dff:fe56:4495/64 or 2001:db8::/64.
  • For OIDName, the value must be a unique, valid OID specified in dot-separated numeric component notation. For example, 1.2.3.4.55.6.5.99.
  • For OtherName, the values are names with any other format. This supports PrintableString, IA5String, UTF8String, BMPString, Any, and KerberosName. KerberosName has the format Realm|NameType|NameStrings, such as realm1|0|userID1,userID2.
    OtherName must have the format (type)oid,string. For example, (IA5String)1.2.3.4,MyExample.
ExcludedSubtreeEnable_n Select true to enable this excluded subtree entry.

B.1.15. Netscape Certificate Type Extension Default

Warning

This extension is obsolete. Use the Key Usage or Extended Key Usage certificate extensions instead.
This default attaches a Netscape Certificate Type extension to the certificate. The extension identifies the certificate type, such as CA certificate, server SSL certificate, client SSL certificate, or S/MIME certificate. This restricts the usage of a certificate to predetermined purposes.

B.1.16. Netscape Comment Extension Default

Warning

This extension is obsolete.
This default attaches a Netscape Comment extension to the certificate. The extension can be used to include textual comments in certificates. Applications that are capable of interpreting the comment display it when the certificate is used or viewed.
For general information about this extension, see Section B.4.3.2, “netscape-comment”.
The following constraints can be defined with this default:

Table B.14. Netscape Comment Extension Configuration Parameters

Parameter Description
Critical Select true to mark this extension critical; select false to mark the extension noncritical.
CommentContent Specifies the content of the comment to appear in the certificate.

B.1.17. No Default Extension

This default can be used to set constraints when no defaults are being used. This default has no settings and sets no defaults but does allow all of the constraints available to be set.

B.1.18. OCSP No Check Extension Default

This default attaches an OCSP No Check extension to the certificate. The extension, which should be used in OCSP responder certificates only, indicates how OCSP-compliant applications can verify the revocation status of the certificate an authorized OCSP responder uses to sign OCSP responses.
For general information about this extension, see Section B.3.10, “OCSPNocheck”.
The following constraints can be defined with this default:

Table B.15. OCSP No Check Extension Default Configuration Parameters

Parameter Description
Critical Select true to mark this extension critical; select false to mark the extension noncritical.

B.1.19. Policy Constraints Extension Default

This default attaches a Policy Constraints extension to the certificate. The extension, which can be used in CA certificates only, constrains path validation in two ways: either to prohibit policy mapping or to require that each certificate in a path contain an acceptable policy identifier. The default can specify both ReqExplicitPolicy and InhibitPolicyMapping. PKIX standard requires that, if present in the certificate, the extension must never consist of a null sequence. At least one of the two specified fields must be present.
For general information about this extension, see Section B.3.11, “policyConstraints”.
The following constraints can be defined with this default:

Table B.16. Policy Constraints Extension Default Configuration Parameters

Parameter Description
Critical Select true to mark this extension critical; select false to mark the extension noncritical.
reqExplicitPolicy
Specifies the total number of certificates permitted in the path before an explicit policy is required. This is the number of CA certificates that can be chained below the subordinate CA certificate before an acceptable policy is required.
  • -1 specifies that the field should not be set in the extension.
  • 0 specifies that no subordinate CA certificates are permitted in the path before an explicit policy is required.
  • n must be an integer that is greater than zero. It specifies the maximum number of subordinate CA certificates allowed in the path before an explicit policy is required.
This number affects the number of CA certificates to be used during certificate validation. The chain starts with the end-entity certificate being validated and moving up the chain. The parameter has no effect if the extension is set in end-entity certificates.
inhibitPolicyMapping
Specifies the total number of certificates permitted in the path before policy mapping is no longer permitted.
  • -1 specifies that the field should not be set in the extension.
  • 0 specifies that no subordinate CA certificates are permitted in the path before policy mapping is no longer permitted.
  • n must be an integer that is greater than zero. It specifies at the maximum number of subordinate CA certificates allowed in the path before policy mapping is no longer permitted. For example, a value of 1 indicates that policy mapping may be processed in certificates issued by the subject of this certificate, but not in additional certificates in the path.

B.1.20. Policy Mappers Extension Default

This default attaches a Policy Mappings extension to the certificate. The extension lists pairs of OIDs, each pair identifying two policy statements of two CAs. The pairing indicates that the corresponding policies of one CA are equivalent to policies of another CA. The extension may be useful in the context of cross-certification. If supported, the extension is included in CA certificates only. The default maps policy statements of one CA to that of another by pairing the OIDs assigned to their policy statements
Each pair is defined by two parameters, issuerDomainPolicy and subjectDomainPolicy. The pairing indicates that the issuing CA considers the issuerDomainPolicy equivalent to the subjectDomainPolicy of the subject CA. The issuing CA's users may accept an issuerDomainPolicy for certain applications. The policy mapping tells these users which policies associated with the subject CA are equivalent to the policy they accept.
For general information about this extension, see Section B.3.12, “policyMappings”.
The following constraints can be defined with this default:

Table B.17. Policy Mappings Extension Default Configuration Parameters

Parameter Description
Critical Select true to mark this extension critical; select false to mark the extension noncritical.
IssuerDomainPolicy_n Specifies the OID assigned to the policy statement of the issuing CA to map with the policy statement of another CA. For example, 1.2.3.4.5.
SubjectDomainPolicy_n Specifies the OID assigned to the policy statement of the subject CA that corresponds to the policy statement of the issuing CA. For example, 6.7.8.9.10.

B.1.21. Private Key Usage Period Extension Default

The Private Key Usage Period extension allows the certificate issuer to specify a different validity period for the private key than for the certificate itself. This extension is intended for use with digital signature keys.

Table B.18. Private key Usage Period Configuration Parameters

Parameter Description
Critical This extension should always be non-critical.
puStartTime This parameters sets the start time. The default value is 0, which starts the validity period from the time the extension is activated.
puDurationDays This parameters sets the duration of the usage period. The default value is 365, which sets the validity period to 365 days from the time the extension is activated.

B.1.22. Signing Algorithm Default

This default attaches a signing algorithm in the certificate request. This default presents an agent with the possible algorithms that can be used for signing the certificate.
The following constraints can be defined with this default:

Table B.19. Signing Algorithm Default Configuration Parameters

Parameter Description
signingAlg Specify the default signing algorithm to be used to create this certificate. An agent can override this value by specifying one of the values contained in the signingAlgsAllowed parameter.
signingAlgsAllowed Specify the signing algorithms that can be used for signing this certificate. The algorithms can be any or all of the following:
  • MD2withRSA
  • MD5withRSA
  • SHA1withRSA
  • SHA256withRSA
  • SHA512withRSA
  • SHA1withEC (if ECC is enabled)

B.1.23. Subject Alternative Name Extension Default

This default attaches a Subject Alternative Name extension to the certificate. The extension binds additional identities, such as an email address, a DNS name, an IP address (both IPv4 and IPv6), or a URI, to the subject of the certificate. The standard requires that if the certificate subject field contains an empty sequence, then the Subject Alternative name extension must contain the subject's alternative name and that the extension be marked critical.
For any of the directory-based authentication methods, the Certificate System can retrieve values for any string and byte attributes and set them in the certificate request. These attributes are set by entering them in the ldapStringAttributes and ldapByteAttributes fields defined in the automated enrollment modules.
If authenticated attributes — meaning attributes stored in an LDAP database — need to be part of this extension, use values from the $request.X$ token.
There is an additional attribute to insert a universally unique identifier (UUID) into the subject alt name. This option generates a random number for version 4 UUID; the pattern is defined by referencing the server which will generate the number in an additional subjAltExtSource parameter.
A basic Subject Alternative Name Extension default is configured in the example.

Example B.1. Default Subject Alternative Name Extension Configuration

policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
policyset.serverCertSet.9.default.name=Subject Alternative Name Extension Default
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true
policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.requester_email$
policyset.serverCertSet.9.default.params.subjAltExtType_0=RFC822Name
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=true
policyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.SAN1$
policyset.serverCertSet.9.default.params.subjAltExtType_1=DNSName
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_2=true
policyset.serverCertSet.9.default.params.subjAltExtPattern_2=http://www.server.example.com
policyset.serverCertSet.9.default.params.subjAltExtType_2=URIName
policyset.serverCertSet.9.default.params.subjAltExtType_3=OtherName
policyset.serverCertSet.9.default.params.subjAltExtPattern_3=(IA5String)1.2.3.4,$server.source$
policyset.serverCertSet.9.default.params.subjAltExtSource_3=UUID4
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_3=true
policyset.serverCertSet.9.default.params.subjAltExtType_4=RFC822Name
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_4=false
policyset.serverCertSet.9.default.params.subjAltExtPattern_4=
policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false
policyset.serverCertSet.9.default.params.subjAltNameNumGNs=4
The Subject Alternative Name extension default checks the certificate request for the profile attributes. If the request contains an attribute, the profile reads its value and sets it in the extension. It is also possible for the Subject Alternative Name extension default to insert attribute values from an LDAP directory, if LDAP-based authentication is configured. The extension added to the certificates contain all the configured attributes.
The variables that can be used with the Subject Alternative Name extension default are listed in Table B.20, “Variables to Insert Values in the Subject Alternative Name”.

Table B.20. Variables to Insert Values in the Subject Alternative Name

Policy Set Token Description
$request.auth_token.cn$ The LDAP common name (cn) attribute of the user who requested the certificate.
$request.auth_token.mail$ The value of the LDAP email (mail) attribute of the user who requested the certificate.
$request.auth_token.tokenCertSubject$ The certificate subject name.
$request.auth_token.uid$ The LDAP user ID (uid) attribute of the user who requested the certificate.
$request.auth_token.user$
$request.auth_token.userDN$ The user DN of the user who requested the certificate.
$request.auth_token.userid$ The value of the user ID attribute for the user who requested the certificate.
$request.uid$ The value of the user ID attribute for the user who requested the certificate.
$request.profileRemoteAddr$ The IP address of the user making the request. This can be an IPv4 or an IPv6 address, depending on the client. An IPv4 address must be in the format n.n.n.n or n.n.n.n,m.m.m.m. For example, 128.21.39.40 or 128.21.39.40,255.255.255.00. An IPv6 address uses a 128-bit namespace, with the IPv6 address separated by colons and the netmask separated by periods. For example, 0:0:0:0:0:0:13.1.68.3, FF01::43, 0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:255.255.255.0, and FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000.
$request.profileRemoteHost$ The hostname or IP address of the user's machine. The hostname can be the fully-qualified domain name and the protocol, such as http://server.example.com. An IPv4 address must be in the format n.n.n.n or n.n.n.n,m.m.m.m. For example, 128.21.39.40 or 128.21.39.40,255.255.255.00. An IPv6 address uses a 128-bit namespace, with the IPv6 address separated by colons and the netmask separated by periods. For example, 0:0:0:0:0:0:13.1.68.3, FF01::43, 0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:255.255.255.0, and FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000.
$request.requestor_email$ The email address of the person who submitted the request.
$request.requestowner$ The person who submitted the request.
$request.subject$ The subject name DN of the entity to which the certificate is issued. For example, uid=jsmith, e=jsmith@example.com.
$request.tokencuid$ The card unique ID (CUID) of the smart card token used for requesting the enrollment.
$request.upn$ The Microsoft UPN. This has the format (UTF8String)1.3.6.1.4.1.311.20.2.3,$request.upn$.
$server.source$ Instructs the server to generate a version 4 UUID (random number) component in the subject name. This always has the format (IA5String)1.2.3.4,$server.source$.
Multiple attributes can be set for a single extension. The subjAltNameNumGNs parameter controls how many of the listed attributes are required to be added to the certificate. This parameter must be added to custom profiles and may need modified in default profiles to include as many attributes as required. In Example B.1, “Default Subject Alternative Name Extension Configuration”, the subjAltNameNumGNs is set to 3 to insert the RFC822Name, DNSName, and URIName names (generic names _0, _1, and _2).
The following constraints can be defined with this default:

Table B.21. Subject Alternative Name Extension Default Configuration Parameters

Parameter Description
Critical Select true to mark this extension critical; select false to mark the extension noncritical.
Pattern Specifies the request attribute value to include in the extension. The attribute value must conform to any of the supported general name types. If the server finds the attribute in the request, it sets the attribute value in the extension and adds the extension to certificates. If multiple attributes are specified and none of the attributes are present in the request, the server does not add the Subject Alternative Name extension to certificates. The permissible value is a request attribute included in the certificate request. For example, $request.requester_email$.
Type
Specifies the general name type for the request attribute.
  • Select RFC822Name if the request-attribute value is an email address in the local-part@domain format. For example, jdoe@example.com
  • Select DirectoryName if the request-attribute value is an X.500 directory name, similar to the subject name in a certificate. For example, cn=Jane Doe, ou=Sales Dept, o=Example Corporation, c=US.
  • Select DNSName if the request-attribute value is a DNS name. For example, corpDirectory.example.com.
  • Select EDIPartyName if the request-attribute value is an EDI party name. For example, Example Corporation.
  • Select URIName if the request-attribute value is a non-relative URI that includes both a scheme, such as http, and a fully qualified domain name or IP address of the host. For example, http://hr.example.com. Certificate System supports both IPv4 and IPv6 addresses.
  • Select IPAddress if the request-attribute value is a valid IP address specified in dot-separated numeric component notation. For example, 128.21.39.40. An IPv4 address must be in the format n.n.n.n or n.n.n.n,m.m.m.m. For example, 128.21.39.40 or 128.21.39.40,255.255.255.00. An IPv6 address uses a 128-bit namespace, with the IPv6 address separated by colons and the netmask separated by periods. For example, 0:0:0:0:0:0:13.1.68.3, FF01::43, 0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:255.255.255.0, and FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000.
  • Select OIDName if the request-attribute value is a unique, valid OID specified in the dot-separated numeric component notation. For example, 1.2.3.4.55.6.5.99.
  • Select OtherName for names with any other format. This supports PrintableString, IA5String, UTF8String, BMPString, Any, and KerberosName. KerberosName has the format Realm|NameType|NameStrings, such as realm1|0|userID1,userID2.
    OtherName must have the format (type)oid,string. For example, (IA5String)1.2.3.4,MyExample.
Source Specifies an identification source or protocol to use to generate an ID. The only supported source is UUID4, which generates a random number to create the UUID.
Number of Components (NumGNs) Specifies the number of name components that must be included in the subject alternative name.

B.1.24. Subject Directory Attributes Extension Default

This default attaches a Subject Directory Attributes extension to the certificate. The Subject Directory Attributes extension conveys any desired directory attribute values for the subject of the certificate.
The following constraints can be defined with this default:

Table B.22. Subject Directory Attributes Extension Default Configuration Parameters

Parameter Description
Critical Select true to mark this extension critical; select false to mark the extension noncritical.
Name The attribute name; this can be any LDAP directory attribute, such as cn or mail.
Pattern Specifies the request attribute value to include in the extension. The attribute value must conform to the allowed values of the attribute. If the server finds the attribute, it sets the attribute value in the extension and adds the extension to certificates. If multiple attributes are specified and none of the attributes are present in the request, the server does not add the Subject Directory Attributes extension to certificates. For example, $request.requester_email$.
Enable Sets whether that attribute is able to be added to the certificate. Select true to enable the attribute.

B.1.25. Subject Info Access Extension Default

Implements an enrollment default policy that populates a Subject Information Access extension in the certificate template. This extension indicates how to access information and services for the subject of the certificate in which the extension appears.
Parameter Description
Critical This extension is supposed to be non-critical.
subjInfoAccessNumADs The number of information access sections included with the certificate.
subjInfoAccessADMethod_n OID of the access method.
subjInfoAccessADMethod_n Type of access method.
  • URIName
  • Directory name
  • DNS Name
  • EID Party Name
  • IP Address
  • OID Name
  • RFC822Name
subjInfoAccessADLocation_n
Location based on the type subjInfoAccessADMethod_n
i.e., a URL for URI Name.
subjInfoAccessADEnable_n Select true to enable this extension; select false to disable this extension.

B.1.26. Subject Key Identifier Extension Default

This default attaches a Subject Key Identifier extension to the certificate. The extension identifies certificates that contain a particular public key, which identifies a certificate from among several that have the same subject name.
For general information about this extension, see Section B.3.16, “subjectKeyIdentifier”.
If enabled, the profile adds a Subject Key Identifier Extension to an enrollment request if the extension does not already exist. If the extension exists in the request, such as a CRMF request, the default replaces the extension. After an agent approves the manual enrollment request, the profile accepts any Subject Key Identifier Extension that is already there.
This default has no parameters. If used, this extension is included in the certificate with the public key information.
The following constraints can be defined with this default:

B.1.27. Subject Name Default

This default attaches a server-side configurable subject name to the certificate request. A static subject name is used as the subject name in the certificate.
The following constraints can be defined with this default:

Table B.23. Subject Name Default Configuration Parameters

Parameter Description
Name Specify the subject name for this certificate.
If you need to get a certificate subject name that uses the DNPATTERN value from the UidPwdDirAuth plugin, then configure the profile to use the Subject Name Default plugin and substitute the Name parameter with the "Subject Name" from the AuthToken as shown below.
policyset.userCertSet.1.default.class_id=subjectNameDefaultImpl
policyset.userCertSet.1.default.name=Subject Name Default
policyset.userCertSet.1.default.params.name=$request.auth_token.tokenCertSubject$

B.1.28. User Key Default

This default attaches a user-supplied key into the certificate request. This is a required default. Keys are part of the enrollment request.
The following constraints can be defined with this default:

B.1.29. User Signing Algorithm Default

This default implements an enrollment default profile that populates a user-supplied signing algorithm in the certificate request. If included in the certificate profile, this allows a user to choose a signing algorithm for the certificate, subject to the constraint set.
No inputs are provided to add signing algorithm choices to the enrollment form, but it is possible to submit a request that contains this information.
The following constraints can be defined with this default:

B.1.30. User Subject Name Default

This default attaches a user-supplied subject name to the certificate request. If included in the certificate profile, it allows a user to supply a subject name for the certificate, subject to the constraints set. This extension preserves the subject name that is specified in the original certificate request when the certificate is issued.
The following constraints can be defined with this default:

B.1.31. User Validity Default

This default attaches a user-supplied validity to the certificate request. If included in the certificate profile, it allows a user to supply the validity period, subject to the constraints set. This default profile preserves that user-defined validity period in the original certificate request when the certificate is issued.
No inputs are provided to add user-supplied validity date to the enrollment form, but it is possible to submit a request that contains this information.
The following constraints can be defined with this default:

B.1.32. User Supplied Extension Default

The User Supplied Extension Default class populates a certificate with any certificate extension defined by the user in the certificate request. This requires users to submit certificate requests which meet certain standards or give certain information because the profile can require specific extensions before enrolling a certificate.

Warning

Be exceptionally cautious about setting this extension default, since it allows users to specify an extension in the certificate request. If this default is used, then Red Hat strongly recommends using a constraint corresponding to the extension to minimize any possible abuse of the User Supplied Extension Default.
The user-defined extension is validated against whatever constraint is set, so it is possible to restrict the kind of extension (through the Extension Constraint) or to set rules for the key and other basic constraints, such as whether this is a CA certificate.

Note

If this extension is set on a profile with a corresponding OID (Extension Constraint), then any certificate request processed through that profile must carry the specified extension or the request is rejected.
If a certificate profile was enabled with the User Supplied Extension Default before the errata RHSA 2008:0500, then this profile must be edited to support user supplied extensions in certificate requests. Apply the userExtensionDefaultImpl default, as shown in the example. The given OID is for the Basic Constraints Extension Constraint.
policyset.set1.p6.default.class_id=userExtensionDefaultImpl
policyset.set1.p6.default.name=User Supplied Extension Default
policyset.set1.p6.default.params.userExtOID=2.5.29.19
The CA handles an enrollment with the User Supplied Extension Default in one of three ways:
  • If the OID of the extension is specified in both the certificate request and the default, then the extension is validated by the constraints and applied to the certificate.
  • If an OID of an extension is given in the request but is not specified in the User Supplied Extension Default in the profile, then the user-specified extension is ignored, and the certificate is successfully enrolled without that extension.
  • If this extension is set on a profile with a corresponding OID (Extension Constraint), then any certificate request processed through that profile must carry the specified extension or the request is rejected.
A certificate request that contains the user-defined extensions must be submitted to the profile. The certificate enrollment forms, however, do not have any input fields for users to add user-supplied extensions. Submitting a certificate request without supplying the extension fails.
Example B.2, “User Supplied Extension Default for the Extended Key Usage Extension” adds the User Supplied Extension Default to a profile with the Extended Key Usage Constraint. The OID specified in the userExtOID parameter is for the Extended Key Usage Extension.

Example B.2. User Supplied Extension Default for the Extended Key Usage Extension

policyset.set1.2.constraint.class_id=extendedKeyUsageExtConstraintImpl
policyset.set1.2.constraint.name=Extended Key Usage Extension
policyset.set1.2.constraint.params.exKeyUsageCritical=false
policyset.set1.2.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.set1.2.default.class_id=userExtensionDefaultImpl
policyset.set1.2.default.name=User Supplied Extension Default
policyset.set1.2.default.params.userExtOID=2.5.29.37
In Example B.2, “User Supplied Extension Default for the Extended Key Usage Extension”, although the User Supplied Extension Default allows a user to specify the Extended Key Usage Extension (2.5.29.37), the constraint limits the user request to only the SSL client authentication (1.3.6.1.5.5.7.3.2) and email protection (1.3.6.1.5.5.7.3.4) uses.

B.1.33. Validity Default

This default attaches a server-side configurable validity period into the certificate request.
The following constraints can be defined with this default:

Table B.24. Validity Default Configuration Parameters

Parameter Description
range Specifies the validity period for this certificate.
startTime Sets when the validity period begins, based on the current time.