Table of Contents
Advertisement
This appendix explains both the standard certificate extensions defined by X.509 v3
and the extensions defined by Netscape that were used in versions of products
released before X.509 v3 was finalized. It also provides recommendations for
extensions to use with specific kinds of certificates, including both PKIX Part 1
recommendations and Netscape extensions that must be supported for
compatibility with early versions of Netscape products.
This appendix contains the following sections:
•
Introduction to Certificate Extensions
•
Standard X.509 v3 Certificate Extensions
•
Introduction to CRL Extensions
•
Standard X.509 v3 CRL Extensions
•
Netscape-Defined Certificate Extensions
•
CA Certificates and Extension Interactions
Introduction to Certificate Extensions
An X.509 v3 certificate contains an extensions field that permits any number of
additional fields to be added to the certificate. Certificate extensions provide a way
of adding information such as alternative subject names and usage restrictions to
certificates. Older versions of Netscape browsers and servers that were developed
before PKIX part 1 standards were defined require Netscape-specific extensions.
The X.509 v1 certificate specification was originally designed to bind public keys to
names in an X.500 directory. As certificates began to be used on the Internet and
extranets, and directory lookups could not always be performed, problem areas
such as the following emerged that were not foreseen in the original specification:
Certificate and CRL Extensions
Appendix G
751
Advertisement
Table of Contents
