Professional Documents
Culture Documents
Warisha Rehman - 14768 X.509 Certificates The Extensions in X.509 Certificates
Warisha Rehman - 14768 X.509 Certificates The Extensions in X.509 Certificates
X.509 Certificates
The extensions in X.509 certificates:
1. Authority Key Identifier: The authority key identifier (AKI) is an X.509 v3 certificate
extension. It contains a key identifier which is derived from the public key in the issuer
certificate. According to RFC 5280, the AKI contains the keyIdentifier,
authorityCertIssuer and authorityCertSerialNumber. These two combinations can be
used to identify the issuer certificate i.e. either from the keyIdentifier or from the
authorityCertIssuer and authorityCertSerialNumber. In AKI, keyIdentifier is commonly
used way to identify the issuer certificate.
2. Subject Key identifier extension: this provides a means of identifying certificates that
contain a particular public key.
• To facilitate certification path construction, this extension MUST appear in all
conforming CA certificates, that is, all certificates including the basic constraints
extension (section 4.2.1.10) where the value of CA is TRUE. The value of the subject key
identifier MUST be the value placed in the key identifier field of the Authority Key
Identifier extension (section 4.2.1.1) of certificates issued by the subject of this
certificate.
• This extension MUST NOT be marked critical.
• For CA certificates, subject key identifiers SHOULD be derived from the public key or a
method that generates unique values. Two common methods for generating key
identifiers from the public key are: either a hash value or a 4 bit type field
(keyIdentifier)
4. Extended Key Usage: Extended Key Usage (EKU) is a method of enforcing the public
key of a certificate to be used for a pre-determined set of key purposes. There can be one
or more such key purposes defined. This extension is usually defined by the end entity
systems in their certificates to support their security design constraints. When EKU is
present in a certificate, it implies that the public key can be used in addition to or in
place of the basic purposes listed in the key usage extension. The EKU extension is
always tagged as critical. The EKU extension has key purposes as follows:
• Server authentication (OID 1.3.6.1.5.5.7.3.1)
• Client Authentication (OID 1.3.6.1.5.5.7.3.2)
• anyExtendedKeyUsage (OID 2.5.29.37.0)
• Every fields are uniquely identified by an OID.
8. SCT List: When someone submits a valid certificate to a log, the log responds with a
signed certificate timestamp (SCT), which is simply a promise to add the certificate to
the log within some time period. Certificate authorities can attach an SCT to a certificate
using an X.509v3 extension. The certificate authority (CA) submits a pre certificate to
the log, and the log returns an SCT. The CA then attaches the SCT to the pre certificate as
an X.509v3 extension, signs the certificate, and delivers the certificate to the server
operator.