Ca Certificates And Extension Interactions - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual

• bit 5: SSL CA certificate
• bit 6: S/MIME CA certificate
• bit 7: Object-signing CA certificate
CS Version Support
Supported since CS 4.1. Refer to "NSCertTypeExt" on page 527.
netscape-comment
OID
2.16.840.1.113730.13
Discussion
The value of this extension is an IA5String. It is a comment that can be displayed to the user
when the certificate is viewed.
CS Version Support
Supported since CS 4.2. Refer to "NSCCommentExt" on page 526.

CA Certificates and Extension Interactions

Red Hat recommends that all CA certificates contain the
as this is the standard way to identify a CA certificate. In addition, to ensure support for
Navigator 3.x, CAs should also use
interact with each other. The following table describes what different combinations of the
two extensions mean.
Extensions Present
Only basicConstraints
Only redhat-cert-type
Neither extension
redhat-cert-type
Description
The certificate is a CA certificate if the cA component is true. Path
length processing is done as described above.
The certificate is a CA if at least one of the CA bits is set: SSL CA
(5), S/MIME CA (6), or object-signing CA (7). The certificates
issued by this CA are limited to the particular applications
specified. Path length processing is done as though the
pathLenConstraint is unlimited.
The certificate is not a CA.
Appendix G
CA Certificates and Extension Interactions
extension,
basicConstraints
. These two extensions can
Certificate and CRL Extensions 749