Authorityinfoaccess - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

authorityInfoAccess

35:EA:A6:80:30:20:FF:B1:85:C8:4B:74:D9:DC:BB:50
Example B.3. Sample Pretty-Print Certificate Extensions
An object identifier (OID) is a string of numbers identifying a unique object, such as a certificate
extension or a company's certificate practice statement. The Certificate System comes with a set of
extension-specific profile plug-in modules which enable X.509 certificate extensions to be added to the
certificates the server issues. Some of the extensions contain fields for specifying OIDs.
The PKIX standard recommends that all objects, such as extensions and statements, that are used in
certificates be included in the form of an OID. This promotes interoperability between organizations on
a shared network. If certificates will be issued that will be used on shared networks, register the OID
prefixes with the appropriate registration authority.
OIDs are controlled by the International Standards Organization (ISO) registration authority. In some
cases, this authority is delegated by ISO to regional registration authorities. In the United States, the
American National Standards Institute (ANSI) manages this registration.
Using an OID registered to another organization or failing to register an OID may carry legal
consequences, depending the situation. Registration may be subject to fees. For more information,
contact the appropriate registration authority.
To define or assign OIDs for custom objects, know the company's arc, an OID for a private enterprise.
http://www.alvestrand.no/objectid/
If the company does not have an arc, it needs to get one. The has
more information on registering and using OIDs.
For example, the Netscape-defined OID for an extension named Netscape Certificate
Comment is 2.16.840.1.113730.1.13. The OID assigned to this extension is hierarchical and includes
http://www.alvestrand.no/
the former Netscape company arc, 2.16.840.1. The OID definition entry is
objectid/2.16.840.1.113730.1.13.html.
If an OID extension exists in a certificate and is marked critical, the application validating the certificate
must be able to interpret the extension, including any optional qualifiers, or it must reject the certificate.
Since it is unlikely that all applications will be able to interpret a company's custom extensions
embedded in the form of OIDs, the PKIX standard recommends that the extension be always marked
noncritical.
This section summarizes the extension types defined as part of the Internet X.509 version 3 standard
and indicates which types are recommended by the PKIX working group.
This reference summarizes important information about each certificate. For complete details, see
both the X.509 v3 standard, available from the ITU, and Internet X.509 Public Key Infrastructure
2
- Certificate and CRL Profile (RFC 3280), available at RFC 3280
. The descriptions of extensions
reference the RFC and section number of the standard draft that discusses the extension; the object
identifier (OID) for each extension is also provided.
Each extension in a certificate can be designated as critical or noncritical. A certificate-using system,
such as a web browser, must reject the certificate if it encounters a critical extension it does not
recognize; however, a noncritical extension can be ignored if it is not recognized.
B.3.1. authorityInfoAccess
The Authority Information Access extension indicates how and where to access information about
the issuer of the certificate. The extension contains an accessMethod and an accessLocation
2
http://www.ietf.org/rfc/rfc3280.txt
459