Netscape-Defined Certificate Extensions - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual

Netscape-Defined Certificate Extensions

CS Version Support
Supported since CS 4.2. Refer to "CRLReason" on page 584.
Netscape-Defined Certificate Extensions
Netscape defined certain certificate extensions for use with Navigator and Communicator.
Some of the extensions that have been defined are now obsolete, and others can be
superseded by the extensions defined in the X.509 proposed standard. All Red Hat
extensions should be tagged as noncritical, so that their presence in a certificate does not
make that certificate incompatible with other clients.
The specifications for all Netscape-defined extensions are defined at
http://home.netscape.com/eng/security/comm4-cert-exts.html
CS deployments, only
supported to maintain compatibility with Navigator 3.x. Therefore, only these two Red Hat
certificate extensions are described here.
netscape-cert-type
OID
2.16.840.1.113730.1
Discussion
The
Netscape
certificate can be used. It has been replaced by the X.509 v3 extensions extKeyUsage and
basicConstraints, but must still be supported in deployments that include Navigator 3.x
clients.
If the extension exists in a certificate, it limits the certificate to the uses specified in it. If the
extension is not present, the certificate can be used for all applications except object
signing.
The value is a bit-string, where the individual bit positions, when set, certify the certificate
for particular uses as follows:
• bit 0: SSL Client certificate
• bit 1: SSL Server certificate
• bit 2: S/MIME certificate
• bit 3: Object-signing certificate
• bit 4: Reserved for future use
748 Red Hat Certificate System Administrator's Guide • September 2005
netscape-cert-type
Certificate Type extension can be used to limit the purposes for which a
and
netscape-comment
. For most
need to be