Contents Of A Certificate - Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual

1.3.3.2.2. Other Signing Certificates
Other services, such as the OCSP responder service and CRL publishing, can use signing certificates
other than the CA certificate. For example, a separate CRL signing certificate can be used to sign the
revocation lists that are published by a CA instead of using the CA signing certificate.
1.3.3.2.3. SSL Server and Client Certificates
Server certificates are used for secure communications, such as SSL, and other secure functions.
Server certificates are used to authenticate themselves during operations and to encrypt data; client
certificates authenticate the client to the server.
NOTE
CAs which have a signing certificate issued by a third-party may not be able to issue
server certificates. The third-party CA may have rules in place which prohibit its
subordinates from issuing server certificates.
1.3.3.2.4. User Certificates
End user certificates are a subset of client certificates that are used to identify users to a server or
system. Users can be assigned certificates to use for secure communications, such as SSL, and other
functions such as encrypting email or for single sign-on. Special users, such as Certificate System
agents, can be given client certificates to access special services.
1.3.3.2.5. Dual-Key Pairs
Dual-key pairs are a set of two private and public keys, where one set is used for signing and one for
encryption. These dual keys are used to create dual certificates. The dual certificate enrollment form is
one of the standard forms listed in the end-entities page of the Certificate Manager.
When generating dual-key pairs, set the certificate profiles to work correctly when generating separate
certificates for signing and encryption.
1.3.3.2.6. Cross-Pair Certificates
The Certificate System can issue, import, and publish cross-pair CA certificates. With cross-pair
certificates, one CA signs and issues a cross-pair certificate to a second CA, and the second CA signs
and issues a cross-pair certificate to the first CA. Both CAs then store or publish both certificates as a
crossCertificatePair entry.
Bridging certificates can be done to honor certificates issued by a CA that is not chained to the root
CA. By establishing a trust between the Certificate System CA and another CA through a cross-pair
CA certificate, the cross-pair certificate can be downloaded and used to trust the certificates issued by
the other CA.

1.3.4. Contents of a Certificate

The contents of certificates are organized according to the X.509 v3 certificate specification, which has
been recommended by the International Telecommunications Union (ITU), an international standards
body.
Contents of a Certificate
13