Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual page 79

NOTE
For more information on standard extensions, see
3
3279
.
The X.509 v3 standard for certificates allows organizations to define custom extensions and include
them in certificates. These extensions are called private, proprietary, or custom extensions, and
they carry information unique to an organization or business. Applications may not able to validate
certificates that contain private critical extensions, so it not recommended that these be used in wide-
spread situations.
Before the X.509 v3 standard was finalized, Netscape and other companies had to address some
of the most pressing issues with their own extension definitions. For example, applications such as
Netscape Navigator and Enterprise Server supported an extension known as the Netscape Certificate
Type Extension that specifies the type of certificate issued, such as client, server, or email. To maintain
compatibility with older versions of browsers that were released before the X.509 v3 specification was
finalized, certain kinds of certificates should include some of these Netscape extensions.
The X.500 and X.509 specifications are controlled by the International Telecommunication Union
(ITU), an international organization that primarily serves large telecommunication companies,
government organizations, and other entities concerned with the international telecommunications
network. The Internet Engineering Task Force (IETF), which controls many of the standards that
underlie the Internet, is currently developing public-key infrastructure X.509 (PKIX) standards. These
proposed standards further refine the X.509 v3 approach to extensions for use on the Internet. The
recommendations for certificates and CRLs have reached proposed standard status and are in a
document referred to as PKIX Part 1.
Two other standards, Abstract Syntax Notation One (ASN.1) and Distinguished Encoding Rules
(DER), are used with Certificate System and certificates in general. These are specified in the CCITT
Recommendations X.208 and X.209. For a quick summary of ASN.1 and DER, see A Layman's
Guide to a Subset of ASN.1, BER, and DER, which is available at RSA Laboratories' web site,
www.rsa.com.
5.4.5.1. Structure of Certificate Extensions
In RFC 3280, an X.509 certificate extension is defined as follows:
Extension ::= SEQUENCE
extnID OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING
The means a certificate extension consists of the following:
• The object identifier (OID) for the extension. This identifier uniquely identifies the extension. It also
determines the ASN.1 type of value in the value field and how the value is interpreted. When an
extension appears in a certificate, the OID appears as the extension ID field (extnID) and the
corresponding ASN.1 encoded structure appears as the value of the octet string (extnValue).
• A flag or Boolean field called critical.
The value, which can be either true or false, assigned to this field indicates whether the
extension is critical or noncritical to the certificate.
{
}
Using Certificate Extensions
1
RFC 2459 RFC 3280
,
2
RFC
, and
http://
69