This section explores various certificate formats supported by an Issuing CA on the , including X.509, EMV, and SCSA Root. It delves into the use of X.509 profiles, both in their default and custom configurations, which define the identity information included in a certificate. Finally, it examines X.509 v3 extensions that enable you to incorporate additional functionality and specific attributes into digital certificates. These different parameters make it easy to tailor digital certificates to specific needs, enhancing the robustness and adaptability of the PKI.

The primary certificate formats are X.509 and EMV. These formats define the structure of a certificate and what information it should contain. You can modify and expand these formats by using various extension fields. The certificate formats and fields you choose depend on your specific use cases.

The supports the following formats:

The X.509 standard specifies the format of public-key certificates used in PKI. This standard additionally defines several data types and their formats for PKI, such as attribute certificates and certificate revocation lists (CRLs).

An X.509 public-key certificate enables a certificate authority to bind a public key to an entity. These certificates follow a defined format, and you can create and modify them by using specific public-key certificate extensions supported by the .

The can create the following types of X.509 certificate authorities, each with its own formats:

Broadly, Europay Mastercard VISA (EMV) is a consortium of financial institutions that creates standards for card transactions. On the , EMV usually refers to the EMV certificate standard, which specifies a format for public-key certificates used in financial processing PKI.

An EMV certificate binds a public key to a specific issuer. These certificates generally do not require extensibility and are smaller than their X.509 counterparts (requiring less storage).

The can create the following types of EMV certificate authorities:

The enables easy creation of X.509 root and intermediate CAs. You can choose from several presets or create your own custom templates for X.509 certificates.

When you create an X.509 certificate on the , you can select one of several Distinguished Name (DN) profiles, also known as presets. These presets act as templates defining which fields (and values, if you configure defaults for them) your X.509 certificates contain. By using these presets, you can conveniently add object identifier (OID) fields to your certificates through the intuitive GUI.

X.509 certificates have the following default presets:

After you choose a preset for the fields on your certificate, you need to add values to each field, which are user-entered text. You can also add new fields, remove existing fields, and reorder them.

The comes with several default X.509 presets. However, you can create custom X.509 DN profiles to use as presets for X.509 certificates by using the X.509 DN Profiles tab in the PKI settings.

You can add the following OID fields to a DN profile:

In addition to DN profiles, there are also several default X.509 v3 extension profiles. These extensions enable you to further modify your X.509 certificates with additional fields, attributes, and requirements. The has the following default v3 extensions:

Any field marked as critical with a Y is required on the certificate. When a client requests validation for their certificate, the client certificate must present all critical fields. Failure to present all critical fields results in a denial of validation.

The comes with several default X.509 v3 extension profiles, and you can create custom v3 profiles to use with X.509 certificates by using the X.509 Extensions tab in the PKI settings.

You can add the following OID fields to an X.509 v3 extension profile: