6

What are the Netscape Cert Type attributes in a X.509 Certificate and how are they different with the X509v3 extensions?
Example:
There is the Client/Server Extended Key Usage (X.509) but there is also NetscapeCertType for SSL client and SSL server.
Similar for CA vs Basic Constraints.
So what are these attributes?

Jim
  • 1,395
  • 4
  • 13
  • 18

1 Answers1

9

The Netscape extensions were defined by Netscape during Days of Yore -- around 1996 or so. Netscape did that because the "official" extensions were missing, ill-defined, or found to be lacking some way or another by the Netscape developers.

Old Netscape versions (when it was called Navigator and Communicator) used these extensions, so you had to include them in your SSL server certificate for proper operations. Newer versions and derivatives (including Firefox and the AOL Web browser) simply ignore them if present, and there is little reason to use them anymore.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • I found this also:http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html which is rather dated but seems to take into account `X509v3 Extensions`.I have also seen occusionally certificates created with such extensions (can not give you a reference of an established CA that I have seen for this). – Jim Oct 23 '12 at 16:40
  • Also when you say "there is little reason", do you have an example that we would need to use them? – Jim Oct 23 '12 at 19:39
  • 1
    IIRC Netscape either lacks support for 2048 bit keys or SHA-2, so the moment you use that any attempt at legacy support will fail anyway. @Jim There's probably _no_ reason to do so at all, someone still insisting on using the old Netscape programs will most likely have more severe problems than a lack of these extensions... – Tobias Kienzler Feb 08 '13 at 11:09