Nameconstraints; Ocspnocheck - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs
Table B.31, "Certificate Uses and Corresponding Key Usage Bits"
typical certificate uses.
If the keyUsage extension is present and marked critical, then it is used to enforce the usage of the
certificate and key. The extension is used to limit the usage of a key; if the extension is not present or
not critical, all types of usage are allowed.
If the keyUsage extension is present, critical or not, it is used to select from multiple certificates for a
given operation. For example, it is used to distinguish separate signing and encryption certificates for
users who have separate certificates and key pairs for operations.
OID
2.5.29.15
Criticality
This extension may be critical or noncritical. PKIX Part 1 recommends that it should be marked critical
if it is used.
Purpose of Certificate
CA Signing
SSL Client
SSL Server
S/MIME Signing
S/MIME Encryption
Certificate Signing
Object Signing
Table B.31. Certificate Uses and Corresponding Key Usage Bits
B.3.9. nameConstraints
This extension, which can used in CA certificates only, defines a name space within which all subject
names in subsequent certificates in a certification path must be located.
OID
2.5.29.30
Criticality
PKIX Part 1 requires that this extension be marked critical.
B.3.10. OCSPNocheck
The extension is meant to be included in an OCSP signing certificate. The extension tells an OCSP
client that the signing certificate can be trusted without querying the OCSP responder (since the reply
would again be signed by the OCSP responder, and the client would again request the validity status
464
summarizes the guidelines for
Required Key Usage Bit
• keyCertSign
• cRLSign
digitalSignature
keyEncipherment
digitalSignature
keyEncipherment
keyCertSign
digitalSignature