Cas And Certificate Extensions - Netscape MANAGEMENT SYSTEM 4.5 Installation And Setup Manual

Certificate Authority Decisions
If you want your CA to chain up to a third-party public CA, you must carefully
consider the restrictions that public CAs place on the kinds of certificates your CA
can issue and the nature of the certificate chain. For example, a CA that chains up
to a third-party CA might be restricted to issuing only Secure Multipurpose
Internet Mail Extensions (S/MIME) and SSL client authentication certificates—not
SSL server certificates. In addition, a CA that chains up to a third-party CA might
not be allowed to have any subordinate CAs and might have to obey certain
restrictions on its use of certificate extensions. These and other restrictions may be
acceptable for some PKI deployments but not for others.
One benefit of chaining up to a public CA is that the third party is responsible for
getting the root CA certificate into the browser or other end-entity software. This
can be a major advantage if you are deploying an extranet that involves certificates
used by different companies whose browsers you cannot control. Alternatively, if
you create your own CA hierarchy from scratch, you are responsible for getting
your root certificate into all the browsers used with the certificates you issue. If you
are using Netscape Communicator as your client, you can accomplish this task
within an intranet by using tools such as Mission Control Desktop or with the aid
of Personal Security Manager, but extranet deployments can be more complicated.

CAs and Certificate Extensions

An X.509 v3 certificate contains an extensions field that permits any number of
additional fields to be added to the certificate. Certificate extensions provide a way
of adding information such as alternative subject names, policy information, and
usage restrictions to certificates. The X.509 v3 standard defines a number of
extensions for various purposes. Certificate Management System provides policy
modules that you can use to set many of the standard extensions in the certificates
the server issues.
Before the X.509 v3 standard was finalized, Netscape and other companies had to
address certain issues, such as usage restrictions, with their own extension
definitions. Therefore, to maintain compatibility with older versions of browsers
that were released before the X.509 v3 specification was finalized, certain kinds of
certificates should include some of the Netscape extensions. Certificate
Management System provides policy modules that you can use to implement
essential Netscape extensions.
Chapter 4 Planning Your Deployment 175