Netscape MANAGEMENT SYSTEM 6.0 - PLUG-IN Manual page 338

Standard X.509 v3 Certificate Extensions
Each extension in a certificate can be designated as critical or noncritical. A
certificate-using system, such as browser software, must reject the certificate if it
encounters a critical extension it does not recognize; however, a noncritical
extension can be ignored if it is not recognized.
The descriptions below contain recommendations for use of the extension from
Netscape and Microsoft. The Microsoft recommendations were taken from
"Structuring X.509 Certificates for Use with Microsoft Products" at
http://www.microsoft.com/security/tech/certificates/structuring.asp
dated December 4, 1997.
Certificate Management System (CMS) version support is listed for each extension.
"Supported" means that the indicated version of CMS ships with built-in support
for the extension via a policy plug-in. "Not supported" means that the indicated
version of CMS does not ship a policy plug-in for the extension (although the
extension can be used if a custom plug-in is written).
These are the standard X.509 v3 extensions described in the sections that follow:
• authorityInfoAccess (page 339)
• authorityKeyIdentifier (page 340)
• basicConstraints (page 341)
• certificatePolicies (page 342)
• cRLDistributionPoints (page 343)
• extKeyUsage (page 344)
• issuerAltName (page 347)
• keyUsage (page 348)
• nameConstraints (page 350)
• OCSPNocheck (page 351)
• policyConstraints (page 352)
• policyMappings (page 353)
• privateKeyUsagePeriod (page 353)
• subjectAltName (page 340)
• subjectDirectoryAttributes (page 356)
• subjectKeyIdentifier (page 356)
338 Netscape Certificate Management System Plug-Ins Guide • March 2002
,