Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual page 145

Extensions Present
A certificate chain generally consists of an entity certificate, zero or more intermediate CA certificates,
and a root CA certificate. Typically, the root CA certificate is self-signed and is loaded into a certificate
database as a trusted CA.
An exchange of certificates takes place when performing an SSL handshake, when sending an S/
MIME message, or when sending a signed object. As part of the handshake, the sender is expected to
send the subject certificate and any intermediate CA certificates needed to link the subject certificate
to the trusted root. For certificate chaining to work properly the certificates should have the following
properties:
• CA certificates must have either the Basic Constraints extension, a Key Usage or Extended Key
Usage extension set to issue SSL or email certificates, or both.
• If CAs issue multiple certificates for the same identity, for example for separate signing and
encryption keys, they must include the Key Usage extension in the subject certificates.
• If CAs will ever generate new keys, they must add the Authority Key Identifier extension to all
subject certificates. If the key ID is anything other than the SHA-1 hash of the CA certificates
subjectPublicKeyInfo field, then the CA certificate should contain the Subject Key Identifier
extension. This will allow for a smooth transition when the new issuing certificate becomes active.
These extensions can be configured through the certificate profile enrollment pages. To set the default
in the CA signing certificate profile, do the following:
1. If the profile is currently enabled, it must be disabled before it can be edited. Open the agent
services page, select Manage Certificate Profiles from the left navigation menu, select the
profile, and click Disable profile.
2. Open the CA Console.
pkiconsole https://server.example.com:9443/ca
3. In the left navigation tree of the Configuration tab, select Certificate Manager, then Certificate
Profiles.
4. Select caCACert, or the appropriate CA signing certificate profile, from the right window, and click
Edit/View.
5. In the Policies tab of the Certificate Profile Rule Editor, select and edit the Key Usage or
Extended Key Usage Extension Default if it exists or add it to the profile.
6. Select the Key Usage or Extended Key Usage Extension Constraint, as appropriate, for the
default.
7. Set the default values for the CA certificates. For the Key Usage extension, here are several
settings for a CA signing certificate: digitalSignature and nonRepudiation, which allows a
Setting Restrictions on CA Certificates through Certificate Extensions
123