Extensions are used to associate additional information with the user or the key.
Each certificate extension has three attributes - extnID, critical, extnValue
extnID - Extension ID - an OID that specifies the format and definitions of the extension
critical - Critical flag - Boolean value
extnValue - Extension value
Criticality flag specifies whether the information in an extension is important. If an application doesn't recognize the extension marked as critical, the certificate cannot be accepted. If an extension is not marked as critical (critical value False) it can be ignored by an application.
In Windows, critical extensions are marked with a yellow exclamation mark,
# openssl x509 -inform pem -in cert.pem -text -noout
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
A1:96:A8:0E:32:4B:F6:BE:23:33:42:46:55:8A:72:64
Extract from RFC "Internet X.509 Public Key Infrastructure - Certificate and CRL Profile"
http://www.ietf.org/rfc/rfc2459.txt
4.1 Basic Certificate Fields
The X.509 v3 certificate basic syntax is as follows. For signature
calculation, the certificate is encoded using the ASN.1 distinguished
encoding rules (DER) [X.208]. ASN.1 DER encoding is a tag, length,
value encoding system for each element.
Each extension includes an OID and an ASN.1 structure. When an
extension appears in a certificate, the OID appears as the field
extnID and the corresponding ASN.1 encoded structure is the value of
the octet string extnValue
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
Extension ::= SEQUENCE {
extnID OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING }
4.2 Standard Certificate Extensions
The extensions defined for X.509 v3 certificates provide methods for
associating additional attributes with users or public keys and for
managing the certification hierarchy. The X.509 v3 certificate
format also allows communities to define private extensions to carry
information unique to those communities. Each extension in a
certificate may be designated as critical or non-critical. A
certificate using system MUST reject the certificate if it encounters
a critical extension it does not recognize; however, a non-critical
extension may be ignored if it is not recognized.
Each certificate extension has three attributes - extnID, critical, extnValue
extnID - Extension ID - an OID that specifies the format and definitions of the extension
critical - Critical flag - Boolean value
extnValue - Extension value
Criticality flag specifies whether the information in an extension is important. If an application doesn't recognize the extension marked as critical, the certificate cannot be accepted. If an extension is not marked as critical (critical value False) it can be ignored by an application.
In Windows, critical extensions are marked with a yellow exclamation mark,
View certificate extensions using OpenSSL:
(output abbreviated)
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
A1:96:A8:0E:32:4B:F6:BE:23:33:42:46:55:8A:72:64
Extract from RFC "Internet X.509 Public Key Infrastructure - Certificate and CRL Profile"
http://www.ietf.org/rfc/rfc2459.txt
4.1 Basic Certificate Fields
The X.509 v3 certificate basic syntax is as follows. For signature
calculation, the certificate is encoded using the ASN.1 distinguished
encoding rules (DER) [X.208]. ASN.1 DER encoding is a tag, length,
value encoding system for each element.
Each extension includes an OID and an ASN.1 structure. When an
extension appears in a certificate, the OID appears as the field
extnID and the corresponding ASN.1 encoded structure is the value of
the octet string extnValue
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
Extension ::= SEQUENCE {
extnID OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING }
4.2 Standard Certificate Extensions
The extensions defined for X.509 v3 certificates provide methods for
associating additional attributes with users or public keys and for
managing the certification hierarchy. The X.509 v3 certificate
format also allows communities to define private extensions to carry
information unique to those communities. Each extension in a
certificate may be designated as critical or non-critical. A
certificate using system MUST reject the certificate if it encounters
a critical extension it does not recognize; however, a non-critical
extension may be ignored if it is not recognized.
Comments
Post a Comment