This section explores various certificate formats supported by an Issuing CA on the KMES Series 3, including X.509, EMV, and SCSA Root. It delves into the use of X.509 profiles, both in their default and custom configurations, which define the identity information included in a certificate. Finally, it examines X.509 v3 extensions that enable you to incorporate additional functionality and specific attributes into digital certificates. These different parameters make it easy to tailor digital certificates to specific needs, enhancing the robustness and adaptability of the PKI.
The primary certificate formats are X.509 and EMV. These formats define the structure of a certificate and what information it should contain. You can modify and expand these formats by using various extension fields. The certificate formats and fields you choose depend on your specific use cases.
The KMES Series 3 supports the following formats:
X.509
The X.509 standard specifies the format of public-key certificates used in PKI. This standard also defines several data types and their formats for PKI, including attribute certificates and certificate revocation lists (CRLs).
An X.509 public-key certificate enables a certificate authority to bind a public key to an entity. These certificates follow a defined format, and you can create and modify them by using specific public-key certificate extensions supported by the KMES Series 3.
The KMES can create the following types of X.509 certificate authorities, each with its own formats:
- X.509
- External Digicert X.509
- External WCCE X.509
EMV
Broadly, Europay Mastercard VISA (EMV) is a consortium of financial institutions that creates standards for card transactions. On the KMES Series 3, EMV usually refers to the EMV certificate standard, which specifies a format for public-key certificates used in financial processing PKI.
An EMV certificate binds a public key to a specific issuer. These certificates generally do not require extensibility and are smaller than their X.509 counterparts, requiring less storage.
The KMES can create the following types of EMV certificate authorities:
- Visa EMV
- Amex EMV
- MasterCard EMV
- JCB EMV
- MultiBanco EMV
- UPI EMV
- Bancomat EMV
X.509 profiles
The KMES Series 3 enables easy creation of X.509 root and intermediate CAs. You can choose from several presets or create your own custom templates for X.509 certificates.
Default X.509 DN profiles
When you create an X.509 certificate on the KMES, you can select one of several Distinguished Name (DN) profiles, also known as presets. These presets act as templates defining which fields (and values, if you configure defaults for them) your X.509 certificates contain. By using these presets, you can conveniently add object identifier (OID) fields to your certificates through the intuitive GUI.
X.509 certificates have the following default presets:
| Presets | OID Fields |
|---|
| Classic | - Country
- State or province
- Locality
- Organization
- Organizational Unit
- Title
- Common Name
- Email
- Pseudonym
|
| Domain | - Domain component
- Domain component
- Domain component
- Organizational unit
- Common name
|
| EV Certificate | - Business category
- Jurisdiction of incorporation country name
- Jurisdiction of incorporation state or province name
- Serial #
- Street address
- Postal code
- Country
- State or province
- Locality
- Organization
- Common name
|
| Domain Controller | - Domain component
- Domain component
- Organizational unit
- Common name
|
After you choose a preset for the fields on your certificate, you need to add values to each field, which are user-entered text. You can also add new fields, remove existing fields, and reorder them.
Customizing a preset by adding, removing, or moving an OID field in the X.509 Certificate Creation window does not save changes to the template. To make changes to the actual preset templates, use the X.509 DN Profiles tab.
Custom X.509 DN profiles
The KMES Series 3 comes with several default X.509 presets. However, you can create custom X.509 DN profiles to use as presets for X.509 certificates by using the X.509 DN Profiles tab in the PKI settings.
You can add the following OID fields to a DN profile:
| OID field name | OID decimal string |
|---|
| Business Category | 2.5.4.15 |
| Common Name (this field names the certificate) | 2.5.4.3 |
| Country | 2.5.4.6 |
| DN Qualifier | 2.5.4.46 |
| Domain Component | 0.9.2342.19200300.100.1.25 |
| Email | 1.2.840.113549.1.9.1 |
| Generation Qualifier | 2.5.4.44 |
| Given Name | 2.5.4.42 |
| Initials | 2.5.4.43 |
| Jurisdiction of Incorporation Country Name | 1.3.6.1.4.1.311.60.2.1.3 |
| Jurisdiction of Incorporation State or Province Name | 1.3.6.1.4.1.311.60.2.1.2 |
| Locality | 2.5.4.7 |
| Name | 2.5.4.41 |
| Organization | 2.5.4.10 |
| Organizational Unit | 2.5.4.11 |
| Postal Code | 2.5.4.17 |
| Pseudonym | 2.5.4.65 |
| Serial # | 2.5.4.5 |
| State or Province | 2.5.4.8 |
| Street Address | 2.5.4.9 |
| Surname | 2.5.4.4 |
| Telephone Number | 2.5.4.20 |
| Title | 2.5.4.12 |
| X.500 Unique Identifier | 2.5.4.45 |
| Custom | [Specify an OID for this] |
Default X.509 v3 extension profiles
In addition to DN profiles, there are also several default X.509 v3 extension profiles. These extensions enable you to further modify your X.509 certificates with additional fields, attributes, and requirements. The KMES Series 3 has the following default v3 extension profiles:
- Certificate Authority
- Code Signing Certificate
- Domain Controller
- EV Certificate
- TLS Certificate
- TLS Client Certificate
- TLS Server Certificate
- WCCE Certificate
The values for each of the OID fields in the table below indicate whether they are critical, using a value of Yes (Y) or No (N). A hyphen indicates the field is not present for that v3 profile.
| ### V3 Profiles | Basic Constraints | Key Usage | Extended Key Usage | Authority Key Identifier | Authority Information Access | Certificate Policies | Subject Alternate Name | Subject Key Identifier | MS Template Name | CRL Distribution Points |
|---|
| TLS Server Certificate | N | N | N | N | - | - | - | N | - | - |
| TLS Client Certificate | N | N | N | N | - | - | - | N | - | - |
| TLS Certificate | N | N | - | N | - | - | - | N | - | - |
| Code Signing Certificate | N | N | N | N | - | - | - | N | - | - |
| Certificate Authority | Y | N | - | N | - | - | - | N | - | - |
| EV Certificate | N | N | N | N | - | N | N | N | - | - |
| WCCE Certificate | - | - | - | - | N | - | - | N | - | - |
| Domain Controller | N | N | N | N | - | - | N | N | N | N |
Customizing a v3 profile by adding, removing, or moving an OID field in the X.509 certificate creation window does not save changes to the profile. To make changes to the actual profile, use the X.509 Extensions tab.
Y is required on the certificate. When a client requests validation for their certificate, the client certificate must present all critical fields. Failure to present all critical fields results in a denial of validation.
Custom X.509 v3 extension profiles
The KMES Series 3 also supports creating custom X.509 v3 profiles to use with X.509 certificates by using the X.509 Extensions tab in the PKI settings.
Supported X.509 v3 extensions
You can add the following OID fields to an X.509 v3 extension profile:
| OID field name | OID decimal string | Critical options |
|---|
| Authority Information Access | 1.3.6.1.5.5.7.1.1 | N |
| Authority Key Identifier | 2.5.29.35 | Y/N |
| Basic Constraints | 2.5.29.19 | Y/N |
| CRL Distribution Points | 2.5.29.31 | Y/N |
| Certificate Policies | 2.5.29.32 | Y/N |
| Certificate Template Extension | 1.3.6.1.4.1.311.21.7 | Y/N |
| Extended Key Usage | 2.5.29.37 | Y/N |
| Futurex Role Extension | 1.3.6.1.4.1.36787.2.5.1 | Y/N |
| Issuer Alternate Name | 2.5.29.18 | Y/N |
| Key Usage | 2.5.29.15 | Y/N |
| MS Application Policies | 1.3.6.1.4.1.311.21.10 | Y/N |
| MS Template Name | 1.3.6.1.4.1.311.20.2 | Y/N |
| Name Constraints | 2.5.29.30 | Y/N |
| OCSP No-Check | 1.3.6.1.5.5.7.48.4 | Y/N |
| Policy Constraints | 2.5.29.36 | Y/N |
| Policy Mappings | 2.5.29.33 | Y/N |
| Subject Alternate Name | 2.5.29.17 | Y/N |
| Subject Key Identifier | 2.5.29.14 | Y/N |
| Verifone Log Extension | 2.16.840.1.200000.1.4.10 | Y |
| Custom | [User Entered] | Y/N |
