WARISHA REHMAN– 14768

X.509 Certificates
The extensions in X.509 certificates:

1. Authority Key Identifier: The authority key identifier (AKI) is an X.509 v3 certificate
extension. It contains a key identifier which is derived from the public key in the issuer
certificate. According to RFC 5280, the AKI contains the keyIdentifier,
authorityCertIssuer and authorityCertSerialNumber. These two combinations can be
used to identify the issuer certificate i.e. either from the keyIdentifier or from the
authorityCertIssuer and authorityCertSerialNumber. In AKI, keyIdentifier is commonly
used way to identify the issuer certificate.

2. Subject Key identifier extension: this provides a means of identifying certificates that
contain a particular public key.
• To facilitate certification path construction, this extension MUST appear in all
conforming CA certificates, that is, all certificates including the basic constraints
extension (section 4.2.1.10) where the value of CA is TRUE. The value of the subject key
identifier MUST be the value placed in the key identifier field of the Authority Key
Identifier extension (section 4.2.1.1) of certificates issued by the subject of this
certificate.
• This extension MUST NOT be marked critical.
• For CA certificates, subject key identifiers SHOULD be derived from the public key or a
method that generates unique values. Two common methods for generating key
identifiers from the public key are: either a hash value or a 4 bit type field
(keyIdentifier)

3. Subject Alternative Name: Subject Alternative Name (SAN) is an extension to X.509

that allows various values to be associated with a security certificate using a
subjectAltName field. These values are called Subject Alternative Names (SANs). Names
include: email addresses, IP addresses, URIs, DNS names, directory names, other names,
given as a general name or universal principal name: a registered object identifier
followed by a value.

4. Extended Key Usage: Extended Key Usage (EKU) is a method of enforcing the public
key of a certificate to be used for a pre-determined set of key purposes. There can be one
or more such key purposes defined. This extension is usually defined by the end entity
systems in their certificates to support their security design constraints. When EKU is
present in a certificate, it implies that the public key can be used in addition to or in
place of the basic purposes listed in the key usage extension. The EKU extension is
always tagged as critical. The EKU extension has key purposes as follows:
• Server authentication (OID 1.3.6.1.5.5.7.3.1)
• Client Authentication (OID 1.3.6.1.5.5.7.3.2)
• anyExtendedKeyUsage (OID 2.5.29.37.0)
• Every fields are uniquely identified by an OID.

5. CRL Distribution Points: A certificate revocation list (CRL) is a mechanism for

cancelling a client-side certificate. A CRL distribution point (CDP) is a location on an
LDAP directory server or Web server where a CA publishes CRLs. The system
downloads CRL information from the CDP at the interval specified in the CRL, at the
 interval that you specify during CRL configuration, and when you manually download
the CRL.

6. Certificate policies: The certificate policies extension contains a sequence of one or

more policy information terms, each of which consists of an object identifier (OID) and
optional qualifiers. Optional qualifiers, which MAY be present, are not expected to
change the definition of the policy. A certificate policy OID MUST NOT appear more
than once in a certificate policies extension

7. Authority Information Access: Authority information access (AIA) is a service location

descriptor that is included in every certificate issued by the CA. Technically, it is one of
the many properties of a certificate. It contains LDAP, HTTP, and CER file location points,
which allow clients to access the CA's own certificate information. Address of the OCSP
responder from where revocation of this certificate can be checked (OCSP access
method). Information about how to get the issuer of this certificate (CA issuer access
method).

8. SCT List: When someone submits a valid certificate to a log, the log responds with a
signed certificate timestamp (SCT), which is simply a promise to add the certificate to
the log within some time period. Certificate authorities can attach an SCT to a certificate
using an X.509v3 extension. The certificate authority (CA) submits a pre certificate to
the log, and the log returns an SCT. The CA then attaches the SCT to the pre certificate as
an X.509v3 extension, signs the certificate, and delivers the certificate to the server
operator.