The extensions of a X.509 certificate provide a generic way to include information in the certificate. Currently the function provides support for including five X.509 extensions types: key usage, basic constraints, issuer alternative name, subject alternative name, and the Novell Security Attributes.
To provide a generic method of specifying data for X.509 extensions, the API provides general-purpose data structures and defines, as well as extension-specific data structures and defines.
The following lists extensions from enum NPKIT_x509Extension (see also NPKIT_CRLEntryExtensionInfo, NPKIT_CRLExtensionInfo, and NPKIT_x509GetExtensionData.
|
Extension Name |
Description |
|---|---|
|
None |
No type has been specified. |
|
Unknown |
This extension that cannot be handled properly by NPKIT. |
|
DecodeError |
The extension type cannot be determined because of an error during decoding. |
|
AuthorityKeyIdentifier |
Provides a means of identifying the particular public key used to sign a certificate. This extension is used when an issuer has multiple signing keys (either because of multiple concurrent key pairs or changeover). Generally, this extension should be included in certificates. |
|
SubjectKeyIdentifier |
Provides a means of identifying the particular public key used in an application. When a reference to a public key identifier is needed (such as with the use an Authority Key Identifier) and is not included in the associated certificate, a SHA-1 hash of the subject public key is used. The hash is calculated over the value (excluding tag and length) of the subject public key field in the certificate. |
|
KeyUsage |
Defines the purpose (for example, encipherment, signature, certificate signing, etc.) of the key contained in the certificate. |
|
PrivateKeyUsagePeriod |
Allows the certificate issuer to specify a different validity period for the private key than the certificate. This extension is intended for use with digital signature keys and consists of two optional components: notBefore and notAfter. The private key associated with the certificate should not be used to sign objects before or after the times specified by the two components, respectively. CAs conforming to this profile should not generate certificates with private key usage period extensions unless at least one of the two components is present. |
|
CertificatePolicies |
Specifies the policy under which the certificate has been issued and the purposes for which the certificate can be used, defined by a sequence of policy information terms, each consisting of an Object Identifier (OID™) and optional qualifier. |
|
PolicyMapping |
Extension to be used within CA certificates for listing one or more pairs of object identifiers, each of them including an issuerDomainPolicy and a subjectDomainPolicy. The pairing indicates the issuing CA considers its issuerDomainPolicy equivalent to the subject CA’s subjectDomainPolicy. |
|
SubjectAltName |
Allows you to bind additional identities to the subject of the certificate. Defined options include an RFC822 name (e-mail address), a DNS name, IP address, and URL. |
|
IssuerAltName |
Extension for associating Internet style identities with the issuer of the certificate. Defined options include an rfc822 name (electronic mail address), a DNS name, an IP address, and an URL. |
|
SubjectDirectoryAttributes |
This extension is not recommended, but it can be used in local environments. IMPORTANT:This extension must be non-critical. |
|
BasicConstraints |
Identifies whether the subject of the certificate is a CA and how deep a certification path can exist through that CA. |
|
NameConstraints |
Specifies a name space within which all subject names in subsequent certificates in a certification path must be located. Restrictions might apply to the subject distinguished name or subject alternative names. Restrictions are defined in terms of permitted or excluded name subtrees. Any name matching a restriction in the excludedSubtrees field is invalid regardless of information appearing in the permittedSubtrees. |
|
PolicyConstraints |
Constrains path validation in two ways; it can be used to prohibit policy mapping or require that each certificate in a path contain an acceptable policy identifier. The policy constraints extension can be used in certificates issued to CAs. |
|
CRLDistributionPoints |
Specifies how CRL information is obtained. |
|
ExtendedKeyUsage |
Specifies one or more purposes for which the certified public key can be used, in addition to or in place of the basic purposes indicated in the key usage extension. |
|
AuthorityInfoAccess |
Specifies how to access CA information and services for the issuer of the certificate in which the extension appears. Information and services can include on-line validation services and CA policy data. (The location of CRLs is not specified in this extension; that information is provided by the cRLDistributionPoints extension.) This extension can be included in subject or CA certificates, and it MUST be non-critical. |
|
NovellAttribute |
Specifies Novell Security Attributes. For full information, see NPKIT_x509NovellExtensionInfo. |
|
CRLNumber |
Conveys a monotonically increasing sequence number for each CRL issued by a given CA through a specific CA X.500 directory entry or CRL distribution point. This extension allows users to easily determine when a particular CRL supersedes another CRL. |
|
ReasonCode |
Identifies the reason for a certificate revocation. CAs are strongly encouraged to include reason codes in CRL entries; however, do not include a reason code CRL entry extension when using the unspecified reasonCode value. |
|
InstructionCode |
A non-critical CRL entry extension that provides a registered instruction identifier indicating the action to be taken after encountering a certificate that has been placed on hold. |
|
InvalidityDate |
A non-critical CRL entry extension that provides the date on which it is known or suspected that the private key was compromised or that the certificate otherwise became invalid. This date might be earlier than the revocation date in the CRL entry, which is the date at which the CA processed the revocation. When a revocation is first posted by a CA in a CRL, the invalidity date can precede the date of issue of earlier CRLs, but the revocation date must not precede the date of issue of earlier CRLs. Whenever this information is available, CAs are strongly encouraged to share it with CRL users. |
|
DeltaCRLIndicator |
A critical CRL extension that identifies a delta CRL. The use of delta-CRLs can significantly improve processing time for applications that store revocation information in a format other than the CRL structure. This allows changes to be added to the local database while ignoring unchanged information. IMPORTANT:When a delta CRL is issued, the CAs also must issue a complete CRL. |
|
IssuingDistributionPoint |
A critical CRL extension that identifies the CRL distribution point for a particular CRL and indicates whether the CRL covers revocation for end entity certificates only, CA certificates only, or a limited set of reason codes. Although the extension is critical, conforming implementations are not required to support this extension. |
|
CertificateIssuer |
Identifies the certificate issuer associated with an entry in an indirect CRL (that is, a CRL that has the indirectCRL indicator set in its issuing distribution point extension). If this extension is not present on the first entry in an indirect CRL, the certificate issuer defaults to the CRL issuer. On subsequent entries in an indirect CRL, if this extension is not present, the certificate issuer for the entry is the same as that for the preceding entry. |