Basicconstraints; Certificatepoliciesext; Crldistributionpoints - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual
Hide thumbs
Also See for CERTIFICATE SYSTEM 8.0 - ADMINISTRATION:
- Using manual (48 pages) ,
- Agents manual (146 pages) ,
- Manual (124 pages)
Table of Contents
Advertisement
basicConstraints
Criticality
This extension is always noncritical and is always evaluated.
B.3.3. basicConstraints
This extension is used during the certificate chain verification process to identify CA certificates and
to apply certificate chain path length constraints. The cA component should be set to true for all CA
certificates. PKIX recommends that this extension should not appear in end-entity certificates.
If the pathLenConstraint component is present, its value must be greater than the number of CA
certificates that have been processed so far, starting with the end-entity certificate and moving up the
chain. If pathLenConstraint is omitted, then all of the higher level CA certificates in the chain must
not include this component when the extension is present.
OID
2.5.29.19
Criticality
PKIX Part 1 requires that this extension be marked critical. This extension is evaluated regardless of
its criticality.
B.3.4. certificatePoliciesExt
The Certificate Policies extension defines one or more policies, each of which consists of an OID and
optional qualifiers. The extension can include a URI to the issuer's Certificate Practice Statement or
can embed issuer information, such as a user notice in text form. This information can be used by
certificate-enabled applications.
If this extension is present, PKIX Part 1 recommends that policies be identified with an OID only, or, if
necessary, only certain recommended qualifiers.
OID
2.5.29.32
Criticality
This extension may be critical or noncritical.
B.3.5. CRLDistributionPoints
This extension defines how CRL information is obtained. It should be used if the system is configured
to use CRL issuing points.
If the extension contains a DistributionPointName with a type set to URI, the URI is assumed to
be a pointer to the current CRL for the specified revocation reasons and will be issued by the named
cRLIssuer. The expected values for the URI are those defined for the Subject Alternative Name
extension. If the distributionPoint omits reasons, the CRL must include revocations for all
reasons. If the distributionPoint omits cRLIssuer, the CRL must be issued by the CA that
issued the certificate.
PKIX recommends that this extension be supported by CAs and applications.
461
Advertisement
Table of Contents
Need help?
Do you have a question about the CERTIFICATE SYSTEM 8.0 - ADMINISTRATION and is the answer not in the manual?
Questions and answers