Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual page 736

Standard X.509 v3 Certificate Extensions
Criticality
PKIX Part 1 recommends that this extension be marked noncritical.
Discussion
The Issuer Alternative Name extension is used to associate Internet-style identities with the
certificate issuer. Names must use the forms defined for subjectAltName.
CS Version Support
Supported since CS 4.2. Refer to "IssuerAltNameExt" on page 510.
keyUsage
OID
2.5.29.15
Criticality
This extension may be critical or noncritical. PKIX Part 1 recommends that it should be
marked critical if it is used.
Discussion
The Key Usage extension defines the purpose of the key contained in the certificate. The
Key Usage, Extended Key Usage, Basic Constraints, and
extensions act together to specify the purposes for which a certificate can be used. For more
information on interactions between these extensions in CA certificates, see "CA
Certificates and Extension Interactions" on page 749.
If this extension is included at all, set the bits as follows:
•
digitalSignature
object-signing certificates.
•
nonRepudiation
certificates. Note, however, that the use of this bit is controversial. You should
carefully consider the legal consequences of its use before setting it for any certificate.
•
keyEncipherment
certificates.
•
dataEncipherment
(as opposed to key material).
•
keyAgreement
•
keyCertSign
•
cRLSign
736 Red Hat Certificate System Administrator's Guide • September 2005
( ) for SSL client certificates, S/MIME signing certificates, and
0
( ) for some S/MIME signing certificates and object-signing
1
( ) for SSL server certificates and S/MIME encryption
2
( ) when the subjects's public key is used to encipher user data
3
( ) whenever the subject's public key is used for key agreement.
4
( ) for all CA signing certificates
5
( ) for CA signing certificates that are used to sign CRLs
6
Certificate Type
Netscape