Netscape Certificate Extensions
Communicator 4.0 Version
Send comments to: cert-ext@netscape.com
Netscape Defined Certificate Extensions
This is the list of certificate extensions implemented in Communicator
1.0:
-
netscape-cert-type:
-
This extension can be used to limit the applications for a certificate.
If the extension exists in a certificate, it will limit the uses of the
certificate to those specified. If the extension is not present,
the certificate can be used for all applications except Object Signing.
-
The value is a bit-string, where the individual bit positions are defined
as:
| bit-0 |
SSL client - this cert is certified for SSL client authentication use |
| bit-1 |
SSL server - this cert is certified for SSL server authentication use |
| bit-2 |
S/MIME - this cert is certified for use by clients(New in PR3) |
| bit-3 |
Object Signing - this cert is certified for signing objects such as
Java applets and plugins(New in PR3) |
| bit-4 |
Reserved - this bit is reserved for future use |
| bit-5 |
SSL CA - this cert is certified for issuing certs for SSL use |
| bit-6 |
S/MIME CA - this cert is certified for issuing certs for S/MIME use(New
in PR3) |
| bit-7 |
Object Signing CA - this cert is certified for issuing certs for Object
Signing(New in PR3) |
-
netscape-base-url:
-
The value is an IA5String. When present this string is added to the beginning
of all relative URLs in the certificate. This extension can be considered
an optimization to reduce the size of the URL extensions.
-
netscape-revocation-url:
-
The value is an IA5String. It is a relative or absolute URL that can be
used to check the revocation status of a certificate. The revocation check
will be performed as an HTTP GET method using a url that is the concatenation
of revocation-url and certificate-serial-number. Where the
certificate-serial-number
is encoded as a string of ascii hexadecimal digits. For example, if the
netscape-base-url is https://www.certs-r-us.com/, the netscape-revocation-url
is cgi-bin/check-rev.cgi?, and the certificate serial number is 173420,
the resulting URL would be:
https://www.certs-r-us.com/cgi-bin/check-rev.cgi?02a56c
The server should return a document with a Content-Type of application/x-netscape-revocation.
The document should contain a single ascii digit, '1' if the certificate
is not curently valid, and '0' if it is curently valid.
-
netscape-ca-revocation-url:
-
The value is an IA5String. It is a relative or absolute URL that can be
used to check the revocation status of any certificates that are signed
by the CA that this certificate belongs to. This extension is only valid
in CA certificates. The use of this extension is the same as the netscape-revocation-url
extension.
-
netscape-cert-renewal-url:
-
The value is an IA5String. It is a relative or absolute URL that points
to a certificate renewal form. The renewal form will be accessed with an
HTTP GET method using a url that is the concatenation of renewal-url
and certificate-serial-number. Where the certificate-serial-number
is encoded as a string of ascii hexadecimal digits. For example, if the
netscape-base-url
is https://www.certs-r-us.com/, the netscape-cert-renewal-url is
cgi-bin/check-renew.cgi?, and the certificate serial number is 173420,
the resulting URL would be:
https://www.certs-r-us.com/cgi-bin/check-renew.cgi?02a56c
The document returned should be an HTML form that will allow the user
to request a renewal of their certificate.
-
netscape-ca-policy-url:
-
The value is an IA5String. It is a relative or absolute URL that points
to a web page that describes the policies under which the certificate was
issued.
-
netscape-ssl-server-name:
-
The value is an IA5String. It is a "shell expression" that can be used
to match the hostname of the SSL server that is using this certificate.
It is recommended that if the server's hostname does not match this pattern
the user be notified and given the option to terminate the SSL connection.
If this extension is not present then the CommonName in the certificate
subject's distinguished name is used for the same purpose.
-
netscape-comment:
-
The value is an IA5String. It is a comment that may be displayed to the
user when the certificate is viewed.
Note: for all of the above URLs that include the certificate
serial number, the serial number will be encoded as a string which consists
of an even number of hexadecimal digits. If the number of significant digits
is odd, the string will have a single leading zero to ensure an even number
of digits is generated.
Standard Extensions
Netscape Communicator supports the following standard certificate extensions
as defined by X509
Version 3 and PKIX.
-
keyUsage:
-
If this extension exists and is critical, then it will be used to enforce
the usage of the cert/key. The following table describes the keyUsage values
required for various operations:
|
Application
|
Required
keyUsage
Values |
| SSL Client |
digitalSignature |
| SSL Server |
keyEncipherment |
| S/MIME Signing |
digitalSignature |
| S/MIME Encryption |
keyEncipherment |
| Certificate Signing |
keyCertSign |
| Object Signing |
digitalSignature |
-
Note that if the keyUsage extension is not present, or is present but not
critical, then the cert/key can be used for any type of operation.
-
If the keyUsage extension is present (critical or not), it will be used
to select from multiple certs for a given operation. For example, it will
be used to distinguish seperate signing and encryption certs for users
who have seperate certs/keys for these operations.
-
basicConstraints:
-
The basicConstraints extension is used during the certificate chain verification
process to identify CA certificates and to apply certificate chain path
length constraints. The cA component should be set to true for certificate
authority certificates.
-
If the pathLenConstraint component is present, its value must be
greater than the number of CA certificates that have been processed so
far (starting with the end-entity certificate and moving up the chain).
If pathLenConstraint is omitted, then all of the higher level CA
certificates in the chain must not include this component when the
extension is present.
-
See section below regarding the interaction of basicConstraint and the
netscape-cert-type extension.
-
This extension is evaluated regardless of its criticality.
-
authorityKeyIdentifier:
-
This extension is used to identify which of several CA certs with the same
subject name is the correct issuer of a particular certificate. If the
keyIdentifier
component exists, then it is used to select the certificate with a matching
subjectKeyIdentifier extension. If the authorityCertIssuer and authorityCertSerialNumber
are present, then they are used to identify the correct certificate by
issuer and serialNumber. Only the directoryName form of authorityCertIssuer
is supported.
-
If this extension does not exist, then the issuer name alone will be used
to identify the issuer certificate.
-
This extension is evaluated regardless of its criticality.
-
subjectKeyIdentifier:
-
This extension is used to uniquely identify a certificate from among several
that have the same subject name. If the extension is not present, its value
is calculated by performing a SHA-1 hash of the certificate's DER encoded
subjectPublicKeyInfo, as recommended by PKIX.
Recommendations
basicConstraints, netscape-cert-type, and CA certs
It is strongly recommended that all CA certificates contain the basicConstraints
extension, as this is the standard way to identify a CA certificate. For
those CAs that wish to limit the applications being certified for, the
netscape-cert-type extension may be used. There are several cases to consider:
-
only basicConstraints present:
-
The cert is a CA cert if the cA component is true. Path length processing
is done as described above.
-
only netscape-cert-type present:
-
The cert is a CA if at least one of the CA bits is set(bits 5, 6, and 7).
The certificates issued by this CA will be limited to the particular applications
specified. Path length processing is done as though the pathLenConstraint
is unlimited.
-
neither extension present:
-
The cert is not a CA.
-
both extensions present:
-
The cert is a CA cert if the cA component of basicConstraints is true.
If any of the CA bits in the netscape-cert-type extension are set(bits
5, 6, 7) , then the CA will be limited to issuing certs for the specified
application areas, otherwise the CA may issuer certs for any application.
Cert chaining and CA certs
A cert chain will generally consist of an entity cert, zero or more intermediate
CA certs, and a root CA cert. Typically the root CA cert will be self signed,
and will be loaded into the Communicator's certificate database as a trusted
CA.
When an exchange of certs takes place (generally during an SSL handshake,
sending an S/MIME message, or sending a signed object) the sender is expected
to send the subject cert, and any intermediate CA certs needed to link
the subject cert to the trusted root. In order for cert chaining to work
properly the certs should have the following properties:
-
CA certs must have either the basicConstraints extension, the netscape-cert-type
extension with CA bit(s) set, or both, as described above
-
If CAs will be issuing multiple certs for the same identity (separate signing
and encryption keys/certs) then they must include the keyUsage extension
in the subject certs
-
If CAs ever intend to generate new keys for their CA, then they must add
the authorityKeyIdentifier extension to all subject certs. If the key ID
is anything other than the SHA-1 hash of the CA certs subjectPublicKeyInfo,
then the CA cert should contain the subjectKeyIdentifier extension. This
will allow for a smooth transition when the new issuing cert becomes active.
Object Signing Certificates
Object Signing Certificates must have the netscape-cert-type extension.
Object Signing CA certs must have the Object Signing CA bit set.
Object Signing certs must have the Object Signing bit set.
Netscape Object Identifiers
The base of all Netscape object ids is:
netscape OBJECT IDENTIFIER ::= { 2 16 840 1 113730 }
The DER encoding for the above is 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8,
0x42.
Note that this is the Hexadecimal byte value of the DER encoded OID.
The values for certificate extension names are:
netscape-cert-extension OBJECT IDENTIFIER :: = { netscape
1 }
netscape-cert-type OBJECT IDENTIFIER ::= { netscape-cert-extension
1 }
netscape-base-url OBJECT IDENTIFIER ::= { netscape-cert-extension
2 }
netscape-revocation-url OBJECT IDENTIFIER ::= { netscape-cert-extension
3 }
netscape-ca-revocation-url OBJECT IDENTIFIER ::= { netscape-cert-extension
4 }
netscape-cert-renewal-url OBJECT IDENTIFIER ::= { netscape-cert-extension
7 }
netscape-ca-policy-url OBJECT IDENTIFIER ::= { netscape-cert-extension
8 }
netscape-ssl-server-name OBJECT IDENTIFIER ::= { netscape-cert-extension
12 }
netscape-comment OBJECT IDENTIFIER ::= { netscape-cert-extension
13 }