Certificate Attribute Requirements Enforced by PKI Services Manager
This topic provides a detailed list of which certificate fields are checked by PKI Services Manager, and what requirements must be met for a certificate to be accepted as valid.
Requirements for:
All Certificates
The following version 1 fields MUST all contain valid data.
| Field | Validation information for this field and its attibutes |
|---|---|
| Version | Version 3 is required for user or server certificates. The version accepted for CA certificates is configurable (on the General pane or using the AllowVers1 keyword), but by default version 1 certificates are rejected. |
| Serial number | Used in combination with Issuer to identify this certificate for revocation checking |
| Issuer | Used to build the chain of trust for this certificate. -and- Used in combination with Serial number to identify this certificate for revocation checking |
| Subject | The CN attribute is used to determine the identity of the entity presenting this certificate. (Note: In some certificates, the Subject Alternate Name extension is used as an alternate method of specifying identity.) |
| Valid from Valid to | Used to determine if the certificate is within the valid time period |
| Signature algorithm Signature hash algorithm | Provides information required to decrypt the certificate's signature |
| Public key | Used to decrypt the digital signatures provided by the certificate owner |
CA Certificates
Certificate Authority (CA) certificates must meet the following version 3 extension requirements in addition to the version 1 requirements listed in Requirements for All Certificates.
| Field | Validation information for this field and its attibutes |
|---|---|
| Basic Constraints | MUST be set as a critical extension. Subject type MUST be set to CA. Path Length Constraint is not required. If present, it will be used to check the length of the chain |
| Key Usage | MUST be present. May be set as a critical extension. MUST include Certificate signing. May also include CRL signing, Off-line CRL Signing, Digital Signature. (These attributes may be required if the CA server also issues CRLs or OCSP responses.) |
| Authority Information Access | Not required. If present, it can be used to retrieve the issuer certificate and/or determine OCSP responder servers. |
| CRL Distribution Points | Not required. If present, it can be used to retrieve CRLs. |
| Certificate Policies | Not required. May contain one or more policy OIDs, which, if present, must also be present in the Certificate Policies field of other certificates up and down the chain of trust. |
SSL TLS and FIPS Server Certificates
Certificates used to authenticate SSL, TLS, and FTPS servers must meet the following version 3 extension requirements in addition to the version 1 requirements listed in Requirements for All Certificates.
| Field | Validation information for this field and its attibutes |
|---|---|
| Key Usage | May be present, but not required. If present: MUST include Digital Signature and Key Encipherment. May also include Non Repudiation, Data Encipherment and others, but these are ignored |
| Extended Key Usage (Enhanced Key Usage is an equivalent name.) | May be present, but not required. If present: MUST include Server authentication. |
| Authority Information Access | Not required. If present, it can be used to retrieve the issuer certificate and/or determine OCSP responder servers |
| CRL Distribution Points | Not required. If present, it can be used to retrieve CRLs |
| Certificate Policies | Not required. May contain one or more policy OIDs, which, if present, must also be present in the Certificate Policies field of other certificates up the chain of trust. |
| Subject Alternative Name | Not required. May be used to determine alternate names for the server presenting the certificate using either the dNSName or iPAddress attributes |
SSH and SFTP Server Certificates
Certificates used to authenticate Secure Shell (SSH) and SFTP servers must meet the following version 3 extension requirements in addition to the version 1 requirements listed in Requirements for All Certificates.
| Field | Validation information for this field and its attibutes |
|---|---|
| Key Usage | May be present, but not required. If present: MUST include Digital Signature and Key Encipherment. May also include Non Repudiation, Data Encipherment and others, but these are ignored |
| Extended Key Usage (Enhanced Key Usage is an equivalent name.) | May be present, but not required. If present, MUST include Server authentication |
| Authority Information Access | Not required. If present, it can be used to retrieve the issuer certificate and/or determine OCSP responder servers |
| CRL Distribution Points | Not required. If present, it can be used to retrieve CRLs |
| Certificate Policies | Not required. May contain one or more policy OIDs, which, if present, must also be present in the Certificate Policies field of other certificates up the chain of trust. |
| Subject Alternative Name | Not required. May be used to determine alternate names for the server presenting the certificate using either the dNSName or iPAddress attributes |
User Certificates
Certificates used to authenticate client users must meet the following version 3 extension requirements in addition to the version 1 requirements listed in Requirements for All Certificates.
| Field | Validation information for this field and its attibutes |
|---|---|
| Key Usage | May be present, but not required. If present: MUST include Digital Signature and Key Encipherment. May also include Non Repudiation, Data Encipherment and others, but these are ignored |
| Extended Key Usage (Enhanced Key Usage is an equivalent name.) | May be present, but not required. If present, MUST include Client authentication |
| Authority Information Access | Not required. If present, it can be used to retrieve the issuer certificate and/or determine OCSP responder servers. |
| CRL Distribution Points | Not required. If present, it can be used to retrieve CRLs. |
| Certificate Policies | Not required. May contain one or more policy OIDs, which, if present, must also be present in the Certificate Policies field of other certificates up the chain of trust |
| Subject Alternative Name | Not required. May be used to determine alternate names for the user presenting the certificate using the rfc822Name or otherName attributes. |