##### 7.1.2.1.1 Root CA Validity | __Field__ | __Minimum__ | __Maximum__ | | - | ---- | ---- | | `notBefore` | One day prior to the time of signing | The time of signing | | `notAfter` | 2922 days (approx. 8 years) | 9132 days (approx. 25 years) | **Note**: This restriction applies even in the event of generating a new Root CA Certificate for an existing `subject` and `subjectPublicKeyInfo` (e.g. reissuance). The new CA Certificate MUST conform to these rules.

##### 7.1.2.1.2 Root CA Extensions | __Extension__ | __Presence__ | __Critical__ | __Description__ | | ---- | - | - | ----- | | `authorityKeyIdentifier` | RECOMMENDED | N | See [Section 7.1.2.1.3](#71213-root-ca-authority-key-identifier) | | `basicConstraints` | MUST | Y | See [Section 7.1.2.1.4](#71214-root-ca-basic-constraints) | | `keyUsage` | MUST | Y | See [Section 7.1.2.10.7](#712107-ca-certificate-key-usage) | | `subjectKeyIdentifier` | MUST | N | See [Section 7.1.2.11.4](#712114-subject-key-identifier) | | `extKeyUsage` | MUST NOT | N | - | | `certificatePolicies` | NOT RECOMMENDED | N | See [Section 7.1.2.10.5](#712105-ca-certificate-certificate-policies) | | Signed Certificate Timestamp List | MAY | N | See [Section 7.1.2.11.3](#712113-signed-certificate-timestamp-list) | | Any other extension | NOT RECOMMENDED | - | See [Section 7.1.2.11.5](#712115-other-extensions) |

##### 7.1.2.1.3 Root CA Authority Key Identifier | __Field__ | __Description__ | | --- | ------- | | `keyIdentifier` | MUST be present. MUST be identical to the `subjectKeyIdentifier` field. | | `authorityCertIssuer` | MUST NOT be present | | `authorityCertSerialNumber` | MUST NOT be present |

##### 7.1.2.1.4 Root CA Basic Constraints | __Field__ | __Description__ | | --- | ------- | | `cA` | MUST be set TRUE | | `pathLenConstraint` | NOT RECOMMENDED |

##### 7.1.2.10.1 CA Certificate Validity | __Field__ | __Minimum__ | __Maximum__ | | -- | ---- | ---- | | `notBefore` | One day prior to the time of signing | The time of signing | | `notAfter` | The time of signing | Unspecified |

##### 7.1.2.10.2 CA Certificate Naming All `subject` names MUST be encoded as specified in [Section 7.1.4](#714-name-forms). The following table details the acceptable `AttributeType`s that may appear within the `type` field of an `AttributeTypeAndValue`, as well as the contents permitted within the `value` field. | __Attribute Name__ | __Presence__ | __Value__ | __Verification__ | | --- | - | ------ | -- | | `countryName` | MUST | The two-letter ISO 3166-1 country code for the country in which the CA's place of business is located. | [Section 3.2.2.3](#3223-verification-of-country) | | `stateOrProvinceName` | MAY | If present, the CA's state or province information. | [Section 3.2.2.1](#3221-identity) | | `localityName` | MAY | If present, the CA's locality. | [Section 3.2.2.1](#3221-identity) | | `postalCode` | MAY | If present, the CA's zip or postal information. | [Section 3.2.2.1](#3221-identity) | | `streetAddress` | MAY | If present, the CA's street address. Multiple instances MAY be present. | [Section 3.2.2.1](#3221-identity) | | `organizationName` | MUST | The CA's name or DBA. The CA MAY include information in this field that differs slightly from the verified name, such as common variations or abbreviations, provided that the CA documents the difference and any abbreviations used are locally accepted abbreviations; e.g. if the official record shows "Company Name Incorporated", the CA MAY use "Company Name Inc." or "Company Name". | [Section 3.2.2.2](#3222-dbatradename) | | `organizationalUnitName` | This attribute MUST NOT be included in Root CA Certificates defined in [Section 7.1.2.1](#7121-root-ca-certificate-profile) or TLS Subordinate CA Certificates defined in [Section 7.1.2.5](#7125-technically-constrained-tls-subordinate-ca-certificate-profile) or Technically-Constrained TLS Subordinate CA Certificates defined in [Section 7.1.2.6](#7126-tls-subordinate-ca-certificate-profile). This attribute SHOULD NOT be included in other types of CA Certificates. | - | - | | `commonName` | MUST | The contents SHOULD be an identifier for the certificate such that the certificate's Name is unique across all certificates issued by the issuing certificate. | | | Any other attribute | NOT RECOMMENDED | - | See [Section 7.1.4.4](#7144-other-subject-attributes) |

##### 7.1.2.10.3 CA Certificate Authority Information Access If present, the `AuthorityInfoAccessSyntax` MUST contain one or more `AccessDescription`s. Each `AccessDescription` MUST only contain a permitted `accessMethod`, as detailed below, and each `accessLocation` MUST be encoded as the specified `GeneralName` type. The `AuthorityInfoAccessSyntax` MAY contain multiple `AccessDescription`s with the same `accessMethod`, if permitted for that `accessMethod`. When multiple `AccessDescription`s are present with the same `accessMethod`, each `accessLocation` MUST be unique, and each `AccessDescription` MUST be ordered in priority for that `accessMethod`, with the most-preferred `accessLocation` being the first `AccessDescription`. No ordering requirements are given for `AccessDescription`s that contain different `accessMethod`s, provided that previous requirement is satisfied. | __Access Method__ | __OID__ | __Access Location__ | __Presence__ | __Maximum__ | __Description__ | | -- | -- | ---- | - | - | --- | | `id-ad-ocsp` | 1.3.6.1.5.5.7.48.1 | `uniformResourceIdentifier` | MAY | \* | A HTTP URL of the Issuing CA's OCSP responder. | | `id-ad-caIssuers` | 1.3.6.1.5.5.7.48.2 | `uniformResourceIdentifier` | MAY | \* | A HTTP URL of the Issuing CA's certificate. | | Any other value | - | - | MUST NOT | - | No other `accessMethod`s may be used. |

##### 7.1.2.10.4 CA Certificate Basic Constraints | __Field__ | __Description__ | | --- | ------- | | `cA` | MUST be set TRUE | | `pathLenConstraint` | MAY be present |

##### 7.1.2.10.5 CA Certificate Certificate Policies If present, the Certificate Policies extension MUST contain at least one `PolicyInformation`. Each `PolicyInformation` MUST match the following profile: Table: No Policy Restrictions (Affiliated CA) | __Field__ | __Presence__ | __Contents__ | | --- | - | ------ | | `policyIdentifier` | MUST | When the Issuing CA wishes to express that there are no policy restrictions, the Subordinate CA MUST be an Affiliate of the Issuing CA. The Certificate Policies extension MUST contain only a single `PolicyInformation` value, which MUST contain the `anyPolicy` Policy Identifier. | |     `anyPolicy` | MUST | | | `policyQualifiers` | NOT RECOMMENDED | If present, MUST contain only permitted `policyQualifiers` from the table below. | Table: Policy Restricted | __Field__ | __Presence__ | __Contents__ | | --- | - | ------ | | `policyIdentifier` | MUST | One of the following policy identifiers: | |     A [Reserved Certificate Policy Identifier](#7161-reserved-certificate-policy-identifiers) | MUST | The CA MUST include at least one Reserved Certificate Policy Identifier (see [Section 7.1.6.1](#7161-reserved-certificate-policy-identifiers)) associated with the given Subscriber Certificate type (see [Section 7.1.2.7.1](#71271-subscriber-certificate-types)) directly or transitively issued by this Certificate. | |     `anyPolicy` | MUST NOT | The `anyPolicy` Policy Identifier MUST NOT be present. | |     Any other identifier | MAY | If present, MUST be defined by the CA and documented by the CA in its Certificate Policy and/or Certification Practice Statement. | | `policyQualifiers` | NOT RECOMMENDED | If present, MUST contain only permitted `policyQualifiers` from the table below. | This Profile RECOMMENDS that the first `PolicyInformation` value within the Certificate Policies extension contains the Reserved Certificate Policy Identifier (see [7.1.6.1](#7161-reserved-certificate-policy-identifiers))[^first_policy_note]. Regardless of the order of `PolicyInformation` values, the Certificate Policies extension MUST contain exactly one Reserved Certificate Policy Identifier. **Note**: policyQualifiers is NOT RECOMMENDED to be present in any Certificate issued under this Certificate Profile because this information increases the size of the Certificate without providing any value to a typical Relying Party, and the information may be obtained by other means when necessary. If the `policyQualifiers` is permitted and present within a `PolicyInformation` field, it MUST be formatted as follows: Table: Permitted `policyQualifiers` | __Qualifier ID__ | __Presence__ | __Field Type__ | __Contents__ | | --- | - | - | ----- | | `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | The HTTP or HTTPS URL for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. | | Any other qualifier | MUST NOT | - | - |

##### 7.1.2.10.6 CA Certificate Extended Key Usage | __Key Purpose__ | __OID__ | __Presence__ | | ---- | ---- | - | | `id-kp-serverAuth` | 1.3.6.1.5.5.7.3.1 | MUST | | `id-kp-clientAuth` | 1.3.6.1.5.5.7.3.2 | MAY | | `id-kp-codeSigning` | 1.3.6.1.5.5.7.3.3 | MUST NOT | | `id-kp-emailProtection` | 1.3.6.1.5.5.7.3.4 | MUST NOT | | `id-kp-timeStamping` | 1.3.6.1.5.5.7.3.8 | MUST NOT | | `id-kp-OCSPSigning` | 1.3.6.1.5.5.7.3.9 | MUST NOT | | `anyExtendedKeyUsage` | 2.5.29.37.0 | MUST NOT | | Precertificate Signing Certificate | 1.3.6.1.4.1.11129.2.4.4 | MUST NOT | | Any other value | - | NOT RECOMMENDED |

##### 7.1.2.10.7 CA Certificate Key Usage | __Key Usage__ | __Permitted__ | __Required__ | | ---- | - | - | | `digitalSignature` | Y | N[^ocsp_signing] | | `nonRepudiation` | N | -- | | `keyEncipherment` | N | -- | | `dataEncipherment` | N | -- | | `keyAgreement` | N | -- | | `keyCertSign` | Y | Y | | `cRLSign` | Y | Y | | `encipherOnly` | N | -- | | `decipherOnly` | N | -- | [^ocsp_signing]: If a CA Certificate does not assert the `digitalSignature` bit, the CA Private Key MUST NOT be used to sign an OCSP Response. See [Section 7.3](#73-ocsp-profile) for more information.

##### 7.1.2.10.8 CA Certificate Name Constraints If present, the Name Constraints extension MUST be encoded as follows. As an explicit exception from RFC 5280, this extension SHOULD be marked critical, but MAY be marked non-critical if compatibility with certain legacy applications that do not support Name Constraints is necessary. Table: `nameConstraints` requirements | __Field__ | __Description__ | | -- | -------- | | `permittedSubtrees` | | |   `GeneralSubtree` | The requirements for a `GeneralSubtree` that appears within a `permittedSubtrees`. | |     `base` | See following table. | |     `minimum` | MUST NOT be present. | |     `maximum` | MUST NOT be present. | | `excludedSubtrees` | | |   `GeneralSubtree` | The requirements for a `GeneralSubtree` that appears within a `permittedSubtrees`. | |     `base` | See following table. | |     `minimum` | MUST NOT be present. | |     `maximum` | MUST NOT be present. | The following table contains the requirements for the `GeneralName` that appears within the `base` of a `GeneralSubtree` in either the `permittedSubtrees` or `excludedSubtrees`. Table: `GeneralName` requirements for the `base` field | __Name Type__ | __Presence__ | __Permitted Subtrees__ | __Excluded Subtrees__ | | -- | - | ---- | ---- | | `dNSName` | MAY | The CA MUST confirm that the Applicant has registered the `dNSName` or has been authorized by the domain registrant to act on the registrant's behalf. See [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control). | If at least one `dNSName` instance is present in the `permittedSubtrees`, the CA MAY indicate one or more subordinate domains to be excluded. | | `iPAddress` | MAY | The CA MUST confirm that the Applicant has been assigned the `iPAddress` range or has been authorized by the assigner to act on the asignee's behalf. See [Section 3.2.2.5](#3225-authentication-for-an-ip-address). | If at least one `iPAddress` instance is present in the `permittedSubtrees`, the CA MAY indicate one or more subdivisions of those ranges to be excluded. | | `directoryName` | MAY | The CA MUST confirm the Applicant's and/or Subsidiary's name attributes such that all certificates issued will comply with the relevant Certificate Profile (see [Section 7.1.2](#712-certificate-content-and-extensions)), including Name Forms (See [Section 7.1.4](#714-name-forms)). | It is NOT RECOMMENDED to include values within `excludedSubtrees`. | | `rfc822Name` | NOT RECOMMENDED | The CA MAY constrain to a mailbox, a particular host, or any address within a domain, as specified within [RFC 5280, Section 4.2.1.10](https://tools.ietf.org/html/rfc5280#section-4.2.1.10). For each host, domain, or Domain portion of a Mailbox (as specified within [RFC 5280, Section 4.2.1.6](https://tools.ietf.org/html/rfc5280#section-4.2.1.6)), the CA MUST confirm that the Applicant has registered the domain or has been authorized by the domain registrant to act on the registrant's behalf. See [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control). | If at least one `rfc822Name` instance is present in the `permittedSubtrees`, the CA MAY indicate one or more mailboxes, hosts, or domains to be excluded. | If no `rfc822Name` instance is present in the `permittedSubtrees`, then the CA MAY include a zero-length `rfc822Name` to indicate no mailboxes are permitted. | | `otherName` | NOT RECOMMENDED | See below | See below | See below | | Any other value | NOT RECOMMENDED | - | - | - | Any `otherName`, if present: 1. MUST apply in the context of the public Internet, unless: a. the `type-id` falls within an OID arc for which the Applicant demonstrates ownership, or, b. the Applicant can otherwise demonstrate the right to assert the data in a public context. 2. MUST NOT include semantics that will mislead the Relying Party about certificate information verified by the CA. 3. MUST be DER encoded according to the relevant ASN.1 module defining the `otherName` `type-id` and `value`. CAs SHALL NOT include additional names unless the CA is aware of a reason for including the data in the Certificate.

##### 7.1.2.11.1 Authority Key Identifier | __Field__ | __Description__ | | --- | ------- | | `keyIdentifier` | MUST be present. MUST be identical to the `subjectKeyIdentifier` field of the Issuing CA. | | `authorityCertIssuer` | MUST NOT be present | | `authorityCertSerialNumber` | MUST NOT be present |

##### 7.1.2.11.2 CRL Distribution Points The CRL Distribution Points extension MUST be present in: - Subordinate CA Certificates; and - Subscriber Certificates that 1) do not qualify as "Short-lived Subscriber Certificates" and 2) do not include an Authority Information Access extension with an id-ad-ocsp accessMethod. The CRL Distribution Points extension SHOULD NOT be present in: - Root CA Certificates. The CRL Distribution Points extension is OPTIONAL in: - Short-lived Subscriber Certificates. The CRL Distribution Points extension MUST NOT be present in: - OCSP Responder Certificates. When present, the CRL Distribution Points extension MUST contain at least one `DistributionPoint`; containing more than one is NOT RECOMMENDED. All `DistributionPoint` items must be formatted as follows: Table: `DistributionPoint` profile | __Field__ | __Presence__ | __Description__ | | --- | -- | ------ | | `distributionPoint` | MUST | The `DistributionPointName` MUST be a `fullName` formatted as described below. | | `reasons` | MUST NOT | | | `cRLIssuer` | MUST NOT | | A `fullName` MUST contain at least one `GeneralName`; it MAY contain more than one. All `GeneralName`s MUST be of type `uniformResourceIdentifier`, and the scheme of each MUST be "http". The first `GeneralName` must contain the HTTP URL of the Issuing CA's CRL service for this certificate.

##### 7.1.2.11.3 Signed Certificate Timestamp List If present, the Signed Certificate Timestamp List extension contents MUST be an `OCTET STRING` containing the encoded `SignedCertificateTimestampList`, as specified in [RFC 6962, Section 3.3](https://tools.ietf.org/html/rfc6962#section-3.3). Each `SignedCertificateTimestamp` included within the `SignedCertificateTimestampList` MUST be for a `PreCert` `LogEntryType` that corresponds to the current certificate.

##### 7.1.2.11.4 Subject Key Identifier If present, the `subjectKeyIdentifier` MUST be set as defined within [RFC 5280, Section 4.2.1.2](https://tools.ietf.org/html/rfc5280#section-4.2.1.2). The CA MUST generate a `subjectKeyIdentifier` that is unique within the scope of all Certificates it has issued for each unique public key (the `subjectPublicKeyInfo` field of the `tbsCertificate`). For example, CAs may generate the subject key identifier using an algorithm derived from the public key, or may generate a sufficiently-large unique number, such by using a CSPRNG.

##### 7.1.2.11.5 Other Extensions All extensions and extension values not directly addressed by the applicable certificate profile: 1. MUST apply in the context of the public Internet, unless: a. the extension OID falls within an OID arc for which the Applicant demonstrates ownership, or, b. the Applicant can otherwise demonstrate the right to assert the data in a public context. 2. MUST NOT include semantics that will mislead the Relying Party about certificate information verified by the CA (such as including an extension that indicates a Private Key is stored on a smart card, where the CA is not able to verify that the corresponding Private Key is confined to such hardware due to remote issuance). 3. MUST be DER encoded according to the relevant ASN.1 module defining the extension and extension values. CAs SHALL NOT include additional extensions or values unless the CA is aware of a reason for including the data in the Certificate.