| CERTIFICATE TYPE | EXTENSION | CRITICAL? | VALUE | |||
|---|---|---|---|---|---|---|
| Top Level (SMI Root) CA |
authorityKeyIdentifier subjectKeyIdentifier certificatePolicies basicConstraints cRLDistributionPoints |
No No No No No |
see RFC3280; to be set by the issuing CA see RFC3280; to be set by the issuing CA policyIdentifier=to be set by the issuing CA cpsURI=to be set by the issuing CA policyIdentifier=2.16.840.1.113536.509.2527 cA=TRUE distributionPoint=to be set by the issuing CA, cRLIssuer=to be set by the issuing CA |
|||
|
keyUsage |
Yes |
digitalSignature nonRepudiation keyEncipherment dataEncipherment keyAgreement keyCertSign cRLSign encipherOnly decipherOnly |
0 0 0 0 0 1 1 0 0 |
|||
| Subordinate CA |
authorityKeyIdentifier subjectKeyIdentifier certificatePolicies basicConstraints cRLDistributionPoints authorityInfoAccess |
No No No Yes No No |
see RFC3280; to be set by the issuing CA see RFC3280; to be set by the issuing CA policyIdentifier=2.16.840.1.113536.509.2527 cpsURI=http://www.sun.com/pki/cps.html cA=TRUE, pathLenConstraint=1 distributionPoint= http://www.sun.com/pki/pkirootca.crl cRLIssuer=<subject DN of SMI Root CA> accessLocation= http://va.sun.com, http://va.central.sun.com |
|||
|
keyUsage |
Yes |
digitalSignature nonRepudiation keyEncipherment dataEncipherment keyAgreement keyCertSign cRLSign encipherOnly decipherOnly |
0 0 0 0 0 1 1 0 0 |
|||
| SSL Webserver |
authorityKeyIdentifier subjectKeyIdentifier certificatePolicies cRLDistributionPoints authorityInfoAccess subjectAltName |
No No No No No No |
see RFC3280; to be set by the issuing CA see RFC3280; to be set by the issuing CA policyIdentifier=2.16.840.1.113536.509.2527 cpsURI=http://www.sun.com/pki/cps.html userNotice/explicitText=<Classification Notice> distributionPoint= http://www.sun.com/pki/pki<sub>ca.crl cRLIssuer=<subject DN of issuing CA> accessLocation= http://va.sun.com, http://va.central.sun.com {dNSName=<fully qualified hostname>}* otherName=<PrincipalID> |
|||
|
keyUsage |
Yes |
digitalSignature nonRepudiation keyEncipherment dataEncipherment keyAgreement keyCertSign cRLSign encipherOnly decipherOnly |
1 0 1 0 0 0 0 0 0 |
|||
| extKeyUsage |
No |
serverAuth (OID=1.3.6.1.5.5.7.3.1) |
||||
| IPsec/IKE Host |
authorityKeyIdentifier subjectKeyIdentifier certificatePolicies cRLDistributionPoints authorityInfoAccess subjectAltName |
No No No No No No |
see RFC3280; to be set by the issuing CA see RFC3280; to be set by the issuing CA policyIdentifier=2.16.840.1.113536.509.2527 cpsURI=http://www.sun.com/pki/cps.html userNotice/explicitText=<Classification Notice> distributionPoint= http://pki.central.sun.com/pki<sub>ca.crl http://www.sun.com/pki/pki<sub>ca.crl cRLIssuer=<subject DN of issuing CA> accessLocation= http://va.sun.com, http://va.central.sun.com {dNSName=<FQDN> | iPAddress=<IPaddress>}+ otherName=<PrincipalID> |
|||
|
keyUsage |
Yes |
digitalSignature nonRepudiation keyEncipherment dataEncipherment keyAgreement keyCertSign cRLSign encipherOnly decipherOnly |
1 0 1 0 0 0 0 0 0 |
|||
| SSL Application Server |
authorityKeyIdentifier subjectKeyIdentifier certificatePolicies cRLDistributionPoints authorityInfoAccess subjectAltName |
No No No No No No> |
see RFC3280; to be set by the issuing CA see RFC3280; to be set by the issuing CA policyIdentifier=2.16.840.1.113536.509.2527 cpsURI=http://www.sun.com/pki/cps.html userNotice/explicitText=<Classificat ion Notice> distributionPoint= http://www.sun.com/pki/pki<sub >ca.crl cRLIssuer=<subject DN of issuing CA> accessLocation= http://va.sun.com, http://va.central.sun.com {dNSName=<fully qualified hostname>}* otherName=<PrincipalID> |
|||
|
keyUsage |
Yes |
digitalSignature nonRepudiation keyEncipherment dataEncipherment keyAgreement keyCertSign cRLSign encipherOnly decipherOnly |
1 0 1 0 0 0 0 0 0 |
|||
| extKeyUsage | No |
serverAuth (OID=1.3.6.1.5.5.7.3.1) clientAuth (OID=1.3.6.1.5.5.7.3.2) |
||||
|
SSL Application Client |
SMI |
authorityKeyIdentifier subjectKeyIdentifier certificatePolicies cRLDistributionPoints authorityInfoAccess subjectAltName |
No No No No No No |
see RFC3280; to be set by the issuing CA see RFC3280; to be set by the issuing CA policyIdentifier=2.16.840.1.113536.509.2527 cpsURI=http://www.sun.com/pki/cps.html userNotice/explicitText=<Classification Notice> distributionPoint= http://www.sun.com/pki/pki<sub>ca.crl cRLIssuer=<subject DN of issuing CA> accessLocation= http://va.sun.com, http://va.central.sun.com otherName=<PrincipalID> |
||
|
keyUsage |
Yes |
digitalSignature nonRepudiation keyEncipherment dataEncipherment keyAgreement keyCertSign cRLSign encipherOnly decipherOnly |
1 0 0 0 0 0 0 0 0 |
|||
| extKeyUsage | No | clientAuth (OID=1.3.6.1.5.5.7.3.2) | ||||
| Partner |
authorityKeyIdentifier subjectKeyIdentifier certificatePolicies cRLDistributionPoints authorityInfoAccess subjectAltName |
No No No No No No |
see RFC3280; to be set by the issuing CA see RFC3280; to be set by the issuing CA policyIdentifier=2.16.840.1.113536.509.2527 cpsURI=http://www.sun.com/pki/cps.html userNotice/explicitText=<Classification Notice> distributionPoint= http://www.sun.com/pki/pki<sub>ca.crl cRLIssuer=<subject DN of issuing CA> accessLocation= http://va.sun.com, http://va.central.sun.com otherName=<PrincipalID> |
|||
|
keyUsage |
Yes |
digitalSignature nonRepudiation keyEncipherment dataEncipherment keyAgreement keyCertSign cRLSign encipherOnly decipherOnly |
1 0 0 0 0 0 0 0 0 |
|||
|
extKeyUsage |
No |
clientAuth (OID=1.3.6.1.5.5.7.3.2) |
||||
| Object Signing |
SMI |
authorityKeyIdentifier subjectKeyIdentifier certificatePolicies cRLDistributionPoints authorityInfoAccess subjectAltName |
No No No No No No |
see RFC3280; to be set by the issuing CA see RFC3280; to be set by the issuing CA policyIdentifier=2.16.840.1.113536.509.2527 cpsURI=http://www.sun.com/pki/cps.html userNotice/explicitText=<Classification Notice> distributionPoint= http://www.sun.com/pki/pki<sub>ca.crl cRLIssuer=<subject DN of issuing CA> accessLocation= http://va.sun.com, http://va.central.sun.com otherName=<PrincipalID> |
||
|
keyUsage |
Yes |
digitalSignature nonRepudiation keyEncipherment dataEncipherment keyAgreement keyCertSign cRLSign encipherOnly decipherOnly |
1 0 0 0 0 0 0 0 0 |
|||
| extKeyUsage |
No |
codeSigning (OID=1.3.6.1.5.5.7.3.3) |
||||
| NSCertType | No | objectSigning (bit 3) | ||||
| Partner |
authorityKeyIdentifier subjectKeyIdentifier certificatePolicies cRLDistributionPoints authorityInfoAccess subjectAltName |
No No No No No No |
see RFC3280; to be set by the issuing CA see RFC3280; to be set by the issuing CA policyIdentifier=2.16.840.1.113536.509.2527 cpsURI=http://www.sun.com/pki/cps.html userNotice/explicitText=<Classification Notice> distributionPoint= http://www.sun.com/pki/pki<sub>ca.crl cRLIssuer=<subject DN of issuing CA> accessLocation= http://va.sun.com, http://va.central.sun.com otherName=<PrincipalID> |
|||
|
keyUsage |
Yes |
digitalSignature nonRepudiation keyEncipherment dataEncipherment keyAgreement keyCertSign cRLSign encipherOnly decipherOnly |
1 0 0 0 0 0 0 0 0 |
|||
| extKeyUsage |
No |
codeSigning (OID=1.3.6.1.5.5.7.3.3) | ||||
| NSCertType |
No |
objectSigning (bit 3) |
||||
| People | SMI Employee
(Contractor, Temporary, etc.) |
Authentication |
authorityKeyIdentifier subjectKeyIdentifier certificatePolicies cRLDistributionPoints authorityInfoAccess subjectAltName |
No No No No No No |
see RFC3280; to be set by the issuing CA see RFC3280; to be set by the issuing CA policyIdentifier=2.16.840.1.113536.509.2527 cpsURI=http://www.sun.com/pki/cps.html userNotice/explicitText=<Classification Notice> distributionPoint= http://www.sun.com/pki/pki<sub>ca.crl cRLIssuer=<subject DN of issuing CA> accessLocation= http://va.sun.com, http://va.central.sun.com rfc822Name=First.{M.}Last@Sun.COM otherName=<PrincipalID> |
|
|
keyUsage |
Yes |
digitalSignature nonRepudiation keyEncipherment dataEncipherment keyAgreement keyCertSign cRLSign encipherOnly decipherOnly |
1 0 0 0 0 0 0 0 0 |
|||
| extKeyUsage |
No |
clientAuth (OID=1.3.6.1.5.5.7.3.2) emailProtection (OID=1.3.6.1.5.5.7.3.4) |
||||
| Encryption |
authorityKeyIdentifier subjectKeyIdentifier certificatePolicies cRLDistributionPoints authorityInfoAccess subjectAltName |
No No No No No No |
see RFC3280; to be set by the issuing CA see RFC3280; to be set by the issuing CA policyIdentifier=2.16.840.1.113536.509.2527 cpsURI=http://www.sun.com/pki/cps.html userNotice/explicitText=<Classification Notice> distributionPoint= http://www.sun.com/pki/pki<sub>ca.crl cRLIssuer=<subject DN of issuing CA> accessLocation= http://va.sun.com, http://va.central.sun.com rfc822Name=First.{M.}Last@Sun.COM otherName=<PrincipalID> |
|||
|
keyUsage |
Yes |
digitalSignature nonRepudiation keyEncipherment dataEncipherment keyAgreement keyCertSign cRLSign encipherOnly decipherOnly |
0 0 1 1 0 0 0 0 0 |
|||
| extKeyUsage |
No |
emailProtection (OID=1.3.6.1.5.5.7.3.4) |
||||
| Partner |
authorityKeyIdentifier subjectKeyIdentifier certificatePolicies cRLDistributionPoints authorityInfoAccess subjectAltName |
No No No No No No |
see RFC3280; to be set by the issuing CA see RFC3280; to be set by the issuing CA policyIdentifier=2.16.840.1.113536.509.2527 cpsURI=http://www.sun.com/pki/cps.html userNotice/explicitText=<Classification Notice> distributionPoint= http://www.sun.com/pki/pki<sub>ca.crl cRLIssuer=<subject DN of issuing CA> accessLocation= http://va.sun.com, http://va.central.sun.com otherName=<PrincipalID> |
|||
|
keyUsage |
Yes |
digitalSignature nonRepudiation keyEncipherment dataEncipherment keyAgreement keyCertSign cRLSign encipherOnly decipherOnly |
1 0 0 0 0 0 0 0 0 |
|||
| extKeyUsage |
No |
clientAuth (OID=1.3.6.1.5.5.7.3.2) |
||||
NOTES:
Notation: { <item› }* is used for a sequence of zero or more instances of the <item›, { <item› }+ is used for a sequence of one or more instances of the <item›, | is used to denote alternative or choice, and <FQDN› stands for fully qualified domain name, a hostname in the "preferred name syntax", as specified by RFC1034.
Items listed in magenta are optional. Items listed in green are recent additions required by Sun Certificate Policy [4].
Extensions listed in blue are required by some versions of Netscape/iPlanet software [3]. These extensions are nonstandard and will likely be eliminated in the future.
OCSP specific authorityInfoAccess extension is classified as private in [2]. All the other extensions except those in blue are standard as per [1] and [2].
The issuing CA for Sun's top level (SMI Root) CA is GTE CyberTrust Root operated by Baltimore Technologies plc.
People/Partner certificates are to be used exclusively for SSL client side authentication (note that they are not S/MIME enabled).
ITU-T Recommendation X.509 (1997 E): Information Technology - Open Systems Interconnection - The Directory: Authentication Framework, June 1997.
Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, RFC3280 (available from http://www.ietf.org).
Sun Product Documentation - Sun ONE Certificate Server 4.7, and especially Certificate Management System Plug-ins Guide 4.7, Appendix C: Certificate and CRL Extensions (available from http://docs.sun.com).
Sun Certificate Policy, SunIT, November 2000.