Netscape MANAGEMENT SYSTEM 6.0 - PLUG-IN Manual page 369

Extensions Present
Neither extension
Both extensions
A certificate chain generally consists of an entity certificate, zero or more
intermediate CA certificates, and a root CA certificate. Typically the root CA
certificate is self-signed and is loaded into Communicator's certificate database as a
trusted CA.
An exchange of certificates takes place when performing an SSL handshake, when
sending an S/MIME message, or when sending a signed object. As part of the
handshake, the sender is expected to send the subject certificate and any
intermediate CA certificates needed to link the subject certificate to the trusted
root. For certificate chaining to work properly the certificates should have the
following properties:
• CA certificates must have either the
netscape-cert-type
described above.
• If CAs issue multiple certificates for the same identity, for example for separate
signing and encryption keys, they must include the
subject certificates.
• If CAs ever intend to generate new keys for their CA, they must add the
authorityKeyIdentifier
anything other than the SHA-1 hash of the CA certificates
subjectPublicKeyInfo
subjectKeyIdentifier
when the new issuing certificate becomes active.
Description
The certificate is not a CA.
The certificate is a CA certificate if the cA component of
basicConstraints is true. If one or more of the SSL CA
(5), S/MIME CA (6), or object-signing CA (7) bits are set in
the netscape-cert-type extension, then the CA will be
limited to issuing certificates for the specified application
areas; otherwise, the CA can issue certificates for any
application.
basicConstraints
extension with one or more CA bits set, or both, as
extension to all subject certificates. If the
field, then the CA certificate should contain the
extension. This will allow for a smooth transition
Appendix C
CA Certificates and Extension Interactions
extension, the
extension in the
keyUsage
key ID
Certificate and CRL Extensions
is
369