Certificate formats, profiles, and extensions

42 min

this section explores various certificate formats supported by an issuing ca on the {{k3}} , including x 509, emv, and scsa root it delves into the use of x 509 profiles, both in their default and custom configurations, which define the identity information included in a certificate finally, it examines x 509 v3 extensions that enable you to incorporate additional functionality and specific attributes into digital certificates these different parameters make it easy to tailor digital certificates to specific needs, enhancing the robustness and adaptability of the pki supported certificate formats the primary certificate formats are x 509 and emv these formats define the structure of a certificate and what information it should contain you can modify and expand these formats by using various extension fields the certificate formats and fields you choose depend on your specific use cases the {{k3}} supports the following formats x 509 emv scsa root x 509 the x 509 standard specifies the format of public key certificates used in pki this standard also defines several data types and their formats for pki, including attribute certificates and certificate revocation lists (crls) an x 509 public key certificate enables a certificate authority to bind a public key to an entity these certificates follow a defined format, and you can create and modify them by using specific public key certificate extensions supported by the {{k3}} the {{k}} can create the following types of x 509 certificate authorities, each with its own formats x 509 external digicert x 509 external wcce x 509 emv broadly, europay mastercard visa (emv) is a consortium of financial institutions that creates standards for card transactions on the {{k3}} , emv usually refers to the emv certificate standard, which specifies a format for public key certificates used in financial processing pki an emv certificate binds a public key to a specific issuer these certificates generally do not require extensibility and are smaller than their x 509 counterparts, requiring less storage the {{k}} can create the following types of emv certificate authorities visa emv amex emv mastercard emv jcb emv multibanco emv upi emv bancomat emv x 509 profiles the {{k3}} enables easy creation of x 509 root and intermediate cas you can choose from several presets or create your own custom templates for x 509 certificates default x 509 dn profiles when you create an x 509 certificate on the {{k}} , you can select one of several distinguished name (dn) profiles, also known as presets these presets act as templates defining which fields (and values, if you configure defaults for them) your x 509 certificates contain by using these presets, you can conveniently add object identifier (oid) fields to your certificates through the intuitive gui x 509 certificates have the following default presets presets oid fields classic country state or province locality organization organizational unit title common name email pseudonym domain domain component domain component domain component organizational unit common name ev certificate business category jurisdiction of incorporation country name jurisdiction of incorporation state or province name serial # street address postal code country state or province locality organization common name domain controller domain component domain component organizational unit common name after you choose a preset for the fields on your certificate, you need to add values to each field, which are user entered text you can also add new fields, remove existing fields, and reorder them customizing a preset by adding, removing, or moving an oid field in the x 509 certificate creation window does not save changes to the template to make changes to the actual preset templates, use the x 509 dn profiles tab custom x 509 dn profiles the {{k3}} comes with several default x 509 presets however, you can create custom x 509 dn profiles to use as presets for x 509 certificates by using the x 509 dn profiles tab in the pki settings you can add the following oid fields to a dn profile oid field name oid decimal string business category 2 5 4 15 common name (this field names the certificate) 2 5 4 3 country 2 5 4 6 dn qualifier 2 5 4 46 domain component 0 9 2342 19200300 100 1 25 email 1 2 840 113549 1 9 1 generation qualifier 2 5 4 44 given name 2 5 4 42 initials 2 5 4 43 jurisdiction of incorporation country name 1 3 6 1 4 1 311 60 2 1 3 jurisdiction of incorporation state or province name 1 3 6 1 4 1 311 60 2 1 2 locality 2 5 4 7 name 2 5 4 41 organization 2 5 4 10 organizational unit 2 5 4 11 postal code 2 5 4 17 pseudonym 2 5 4 65 serial # 2 5 4 5 s tate or province 2 5 4 8 street address 2 5 4 9 surname 2 5 4 4 telephone number 2 5 4 20 title 2 5 4 12 x 500 unique identifier 2 5 4 45 custom \[specify an oid for this] default x 509 v3 extension profiles in addition to dn profiles, there are also several default x 509 v3 extension profiles these extensions enable you to further modify your x 509 certificates with additional fields, attributes, and requirements the {{k3}} has the following default v3 extension profiles certificate authority code signing certificate domain controller ev certificate tls certificate tls client certificate tls server certificate wcce certificate the values for each of the oid fields in the table below indicate whether they are critical, using a value of yes ( y ) or no ( n ) a hyphen indicates the field is not present for that v3 profile v3 profiles basic constraints key usage extended key usage authority key identifier authority information access certificate policies subject alternate name subject key identifier ms template name crl distribution points tls server certificate n n n n n tls client certificate n n n n n tls certificate n n n n code signing certificate n n n n n certificate authority y n n n ev certificate n n n n n n n wcce certificate n n domain controller n n n n n n n n customizing a v3 profile by adding, removing, or moving an oid field in the x 509 certificate creation window does not save changes to the profile to make changes to the actual profile, use the x 509 extensions tab any field marked as critical with a y is required on the certificate when a client requests validation for their certificate, the client certificate must present all critical fields failure to present all critical fields results in a denial of validation custom x 509 v3 extension profiles the {{k3}} also supports creating custom x 509 v3 profiles to use with x 509 certificates by using the x 509 extensions tab in the pki settings supported x 509 v3 extensions you can add the following oid fields to an x 509 v3 extension profile oid field name oid decimal string critical options authority information access 1 3 6 1 5 5 7 1 1 n authority key identifier 2 5 29 35 y/n basic constraints 2 5 29 19 y/n crl distribution points 2 5 29 31 y/n certificate policies 2 5 29 32 y/n certificate template extension 1 3 6 1 4 1 311 21 7 y/n extended key usage 2 5 29 37 y/n futurex role extension 1 3 6 1 4 1 36787 2 5 1 y/n issuer alternate name 2 5 29 18 y/n key usage 2 5 29 15 y/n ms application policies 1 3 6 1 4 1 311 21 10 y/n ms template name 1 3 6 1 4 1 311 20 2 y/n name constraints 2 5 29 30 y/n ocsp no check 1 3 6 1 5 5 7 48 4 y/n policy constraints 2 5 29 36 y/n policy mappings 2 5 29 33 y/n subject alternate name 2 5 29 17 y/n subject key identifier 2 5 29 14 y/n verifone log extension 2 16 840 1 200000 1 4 10 y custom \[user entered] y/n

Fundamental components of an Issuing CA

Certificate Authority (CA) workflow