Netscape MANAGEMENT SYSTEM 6.01 - PLUG-IN Manual page 333

Table C-1 Recommendations for Use of Certificate Extensions with CMS
Certificate type CA root
SSL client authorityKeyIdentifier
certificate
basicConstraints:
(required)
extKeyUsage:
keyUsage:
keyCertSign, cRLSign
netscape-cert-type:
SSL CA (if extension exists,
bit must be set)
subjectKeyIdentifier
Intermediate CA
authorityKeyIdentifier
basicConstraints:
true
(required)
cRLDistributionPoints
extKeyUsage:
client auth
client auth
keyUsage:
keyCertSign, cRLSign
netscape-cert-type:
SSL CA (required for client
authentication with some
Netscape servers)
subjectKeyIdentifier
Recommendations for Certificate Extension Use
Issued certificate
authorityKeyIdentifier
true
cRLDistributionPoints
extKeyUsage:
keyUsage:
digitalSignature
netscape-cert-type:
SSL client (if extension exists,
bit must be set; otherwise, not
required)
subjectKeyIdentifier
Appendix C Certificate and CRL Extensions
client auth
333