Setting Restrictions On Ca Certificates Through Certificate Extensions - Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual

Chapter 4. Certificate Manager
The signing algorithm specified in the certificate profile configuration overrides the algorithm set
here.
4. Click Save.
4.8. Setting Restrictions on CA Certificates through
Certificate Extensions
When a subordinate CA is created, the root CA can generate a CA signing certificate with restrictions
on the types of certificates that the subordinate CA can sign with that signing certificate. These
restrictions are set by setting the constraints in the CA signing certificate profile. The default CA
signing certificate request profile is the caCACert profile. By default, there are no restrictions on the
types of certificates that can be signed. The type restrictions are set through the Basic Constraints or
through the Key Usage or Extended Key Usage extensions.
NOTE
Subordinate CA signing certificates can have constraints for the types of extensions which
they can attach to a certificate. It is possible for a subordinate CA to issue certificates
that violate these constraints, but a client authenticating a certificate that violates those
constraints will not accept that certificate.
All CA certificates should contain the basicConstraints extension, as this is the standard way to
identify a CA certificate.
Extensions Present
Only basicConstraints
Only a key usage extension
Neither extension
Both extensions
A certificate chain generally consists of an entity certificate, zero or more intermediate CA certificates,
and a root CA certificate. Typically, the root CA certificate is self-signed and is loaded into a certificate
database as a trusted CA.
An exchange of certificates takes place when performing an SSL handshake, when sending an S/
MIME message, or when sending a signed object. As part of the handshake, the sender is expected to
send the subject certificate and any intermediate CA certificates needed to link the subject certificate
114