10

I have some question about the X.509 v3 extensions. What extensions should appear in a proper certificate for a SSL server ?

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
Wingless-Archangel
  • 123
  • 1
  • 1
  • 6

2 Answers2

12

No extension is strictly necessary in the SSL server certificate, but some extensions can only help:

  • An Authority Key Identifier extension will help clients link the certificate with the issuing CA.
  • A CRL Distribution Points extension (non critical) should be used to point to the URL where the CRL should be found.
  • An Authority Information Access extension can be used to include a pointer (URL) to the certificate for the issuing CA itself; the same extension can point to an OCSP responder, if applicable.
  • If a Key Usage extension is used, it should include some flags: keyAgreement and keyEncipherment for RSA keys to use with TLS_RSA_* cipher suites, digitalSignature for RSA and DSA keys to use with the TLS_DHE_* cipher suites (there is some confusion about whether keyAgreement or keyEncipherment should be used in the case of RSA-based key exchange, so it is safest to include both flags).
  • If you have a formally defined certificate policy, have a pointer to it (OID + download URL) included in all certificates in the path, or at least the SSL server certificate itself: it will give you some legal protection, should disputes arise.
  • The Subject Alt Name extension should be used to indicate the SSL server name. In the absence of such an extension, all browsers will fallback to the CN component of the subjectDN, but this extension is still nominally "preferred" (see RFC 2818 for details).

Of course, all these extensions are supposed to be enforced by the issuing CA, so if you already have the CA, there should be no extra question here.

If in doubt, consult the Internet X.509 PKI Profile. The profile defines what you should morally follow. If you fully conform to it, your certificates will work everywhere. Browsers are actually much more lenient than that.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Thank you for the reply, I have problem with my lecturer about the PKI standard hence it said that the recommendation about non-CA certificate should not including Basic Constraint and he refused to score me at this point even I supply CA:False. Should I need to contact the PKI committee about this to provide the proof? – Wingless-Archangel Jan 27 '13 at 11:36
  • The PKIX committee is not entitled to act as judge in litigations between students and teachers. That being said, the words "MUST", "SHOULD" and "MAY" have a specific meaning in the context of RFC; the presence of Basic Constraints in a non-CA certificate is a MAY, not a SHOULD. See section 4.2.1.9, page 39. However, note that the `cA` flag is defined as `DEFAULT FALSE`, which means "omit _the flag_ if it is false". Therefore, if you include the `Basic Constraints` extension in a non-CA certificate, then its _encoding_should be that of an empty `SEQUENCE`. – Thomas Pornin Jan 27 '13 at 13:53
  • Sorry I didn't get this part "its _encoding_should be that of an empty SEQUENCE" The main reason he refused to give me more score because I violated the standard. from my understanding, it means that I didn't violated any PKI Standard. – Wingless-Archangel Jan 28 '13 at 19:37
  • Encoding of a `SEQUENCE { cA BOOLEAN DEFAULT FALSE; }` where `cA` has value `FALSE` should be `30 00`, not `30 03 01 01 00` (in hexadecimal). That's what I meant. I was hypothesizing that your teacher was grumpy about how you encoded the extension, not about the _presence_ of that extension. From RFC 5280, it is clear that putting the Basic Constraints extension in a non-CA certificate is allowed, and not even discouraged (it is a MAY, not a SHOULD or SHOULD NOT). However, the _encoding_ of that extension must be valid. I don't know what irked your teacher; I am just exploring possibilities. – Thomas Pornin Jan 28 '13 at 19:45
  • Thank you, the main reason is the book he referenced ( Planning for PKI http://www.amazon.com/Planning-PKI-Practices-Deploying-Infrastructure/dp/0471397024) is written by members of the committee and they put the word "Recommend" to omit the basic constraint for non-CA certificate. Normally, Recommend is not strict to have or not, which is strange in this case as well. – Wingless-Archangel Jan 29 '13 at 11:04
-2

Hope the below link could help you, http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html

  • 2
    Hi, and welcome to our site. Answers are much more helpful if they have information in them and links to back them up with further detail if necessary. By just providing a link, nobody can determine the merits of your answer and another site may change the URL of a given page. – Jeff Ferland Jan 09 '13 at 07:34