Structure Of Certificate Extensions - Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual

Appendix A. Certificate and CRL Extensions
The X.509 v3 specification addressed these issues by altering the certificate format to include
additional information within a certificate by defining a general format for certificate extensions and
specifying extensions that can be included in the certificate. The extensions defined for X.509 v3
certificates enable additional attributes to be associated with users or public keys and manage
the certification hierarchy. The Internet X.509 Public Key Infrastructure Certificate and CRL Profile
recommends a set of extensions to use for Internet certificates and standard locations for certificate or
CA information. These extensions are called standard extensions.
NOTE
For more information on standard extensions, see http://www.ietf.org/rfc/rfc2459.txt,
http://www.ietf.org/rfc/rfc3280.txt, and
describe extensions.
The X.509 v3 standard for certificates allows organizations to define custom extensions and include
them in certificates. These extensions are called private, proprietary, or custom extensions, and
they carry information unique to an organization or business. Applications may not able to validate
certificates that contain private critical extensions, so it not recommended that these be used in wide-
spread situations.
Before the X.509 v3 standard was finalized, Netscape and other companies had to address some
of the most pressing issues with their own extension definitions. For example, applications such as
Netscape Navigator and Enterprise Server supported an extension known as the Netscape Certificate
Type Extension that specifies the type of certificate issued, such as client, server, or email. To maintain
compatibility with older versions of browsers that were released before the X.509 v3 specification was
finalized, certain kinds of certificates should include some of these Netscape extensions.
The X.500 and X.509 specifications are controlled by the International Telecommunication Union
(ITU), an international organization that primarily serves large telecommunication companies,
government organizations, and other entities concerned with the international telecommunications
network. The Internet Engineering Task Force (IETF), which controls many of the standards that
underlie the Internet, is currently developing public-key infrastructure X.509 (PKIX) standards. These
proposed standards further refine the X.509 v3 approach to extensions for use on the Internet. The
recommendations for certificates and CRLs have reached proposed standard status and are in a
document referred to as PKIX Part 1.
Two other standards, Abstract Syntax Notation One (ASN.1) and Distinguished Encoding Rules
(DER), are used with Certificate System and certificates in general. These are specified in the CCITT
Recommendations X.208 and X.209. For a quick summary of ASN.1 and DER, see A Layman's
Guide to a Subset of ASN.1, BER, and DER, which is available at RSA Laboratories' web site,
www.rsa.com.
A.1.1. Structure of Certificate Extensions
In RFC 2459, an X.509 certificate extension is defined as follows:
Extension ::= SEQUENCE
extnID OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING
426
{
}
http://www.ietf.org/rfc/rfc3279.txt
for the RFCs that
http://