x.509 Certificates - Critical vs non-critical extensions

Extensions are used to associate additional information with the user or the key. 

Each certificate extension has three attributes - extnID, critical, extnValue

extnID - Extension ID - an OID that specifies the format and definitions of the extension
critical - Critical flag - Boolean value
extnValue - Extension value 

Criticality flag specifies whether the information in an extension is important. If an application doesn't recognize the extension marked as critical, the certificate cannot be accepted. If an extension is not marked as critical (critical value False) it can be ignored by an application.

In Windows, critical extensions are marked with a yellow exclamation mark, 






View certificate extensions using OpenSSL:

# openssl x509 -inform pem -in cert.pem -text -noout

(output abbreviated)

        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier:
                A1:96:A8:0E:32:4B:F6:BE:23:33:42:46:55:8A:72:64



Extract from RFC  "Internet X.509 Public Key Infrastructure - Certificate and CRL Profile" 

http://www.ietf.org/rfc/rfc2459.txt


4.1  Basic Certificate Fields


   The X.509 v3 certificate basic syntax is as follows.  For signature
   calculation, the certificate is encoded using the ASN.1 distinguished
   encoding rules (DER) [X.208].  ASN.1 DER encoding is a tag, length,
   value encoding system for each element.

 Each extension includes an OID and an ASN.1 structure.  When an
   extension appears in a certificate, the OID appears as the field
   extnID and the corresponding ASN.1 encoded structure is the value of
   the octet string extnValue

  Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

   Extension  ::=  SEQUENCE  {
        extnID      OBJECT IDENTIFIER,
        critical    BOOLEAN DEFAULT FALSE,
        extnValue   OCTET STRING  }


4.2  Standard Certificate Extensions

   The extensions defined for X.509 v3 certificates provide methods for
   associating additional attributes with users or public keys and for
   managing the certification hierarchy.  The X.509 v3 certificate
   format also allows communities to define private extensions to carry
   information unique to those communities.  Each extension in a
   certificate may be designated as critical or non-critical.  A
   certificate using system MUST reject the certificate if it encounters
   a critical extension it does not recognize; however, a non-critical
   extension may be ignored if it is not recognized.



Windows CRL caching

By default, both downloaded CRLs and OCSP responses are cached by a Windows client. If a
time-valid version of the CRL or OCSP response exists in the cache, the client will use the
cached version rather than downloading an updated CRL or submitting a new OCSP request. 

Caching related configuration is defined in the following registry hive:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config

A binary value of: 

ChainCacheResyncFiletime 

defines when cache will be cleared. 

Force the cache to be cleared:

c:\> certutil –setreg chain\ChainCacheResyncFiletime @now

Force the cache to clear in 1 hour:


c:\> certutil –setreg chain\ChainCacheResyncFiletime @now+0:1

View current cache life time config:

c:\> certutil –getreg chain\ChainCacheResyncFiletime