Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual page 750

CA Certificates and Extension Interactions
Extensions Present
Both extensions
A certificate chain generally consists of an entity certificate, zero or more intermediate CA
certificates, and a root CA certificate. Typically the root CA certificate is self-signed and is
loaded into Communicator's certificate database as a trusted CA.
An exchange of certificates takes place when performing an SSL handshake, when sending
an S/MIME message, or when sending a signed object. As part of the handshake, the sender
is expected to send the subject certificate and any intermediate CA certificates needed to
link the subject certificate to the trusted root. For certificate chaining to work properly the
certificates should have the following properties:
• CA certificates must have either the
netscape-cert-type
above.
• If CAs issue multiple certificates for the same identity, for example for separate signing
and encryption keys, they must include the
certificates.
• If CAs ever intend to generate new keys for their CA, they must add the
authorityKeyIdentifier
anything other than the SHA-1 hash of the CA certificates
field, then the CA certificate should contain the
This will allow for a smooth transition when the new issuing certificate becomes
active.
750 Red Hat Certificate System Administrator's Guide • September 2005
Description
The certificate is a CA certificate if the cA component of
basicConstraints is true. If one or more of the SSL CA (5),
S/MIME CA (6), or object-signing CA (7) bits are set in the
redhat-cert-type extension, then the CA will be limited to
issuing certificates for the specified application areas; otherwise,
the CA can issue certificates for any application.
basicConstraints
extension with one or more CA bits set, or both, as described
keyUsage
extension to all subject certificates. If the
extension, the
extension in the subject
subjectPublicKeyInfo
subjectKeyIdentifier
is
key ID
extension.