7.1.2.4 All Certificates
All other fields and extensions MUST be set in accordance with RFC 5280. The CA SHALL NOT issue a Certificate that contains a keyUsage flag, extKeyUsage value, Certificate extension, or other data not specified in Section 7.1.2.1, Section 7.1.2.2, or Section 7.1.2.3 unless the CA is aware of a reason for including the data in the Certificate.
CAs SHALL NOT issue a Certificate with:
a. Extensions that do not apply in the context of the public Internet (such as an extKeyUsage value for a service that is only valid in the context of a privately managed network), unless:
i. such value falls within an OID arc for which the Applicant demonstrates ownership, or
ii. the Applicant can otherwise demonstrate the right to assert the data in a public context; or
b. semantics that, if included, will mislead a Relying Party about the certificate information verified by the CA (such as including an extKeyUsage value for a smart card, where the CA is not able to verify that the corresponding Private Key is confined to such hardware due to remote issuance).
7.1.2.4 All certificates
All fields and extensions SHALL be set in accordance with RFC 5280. The CA SHALL NOT issue a Certificate that contains a keyUsage flag, extKeyUsage value, Certificate extension, or other data not specified in Section 7.1.2.1, Section 7.1.2.2, or Section 7.1.2.3 unless the CA is aware of a reason for including the data in the Certificate. If the CA includes fields or extensions in a Certificate that are not specified but are otherwise permitted by these Requirements, then the CA SHALL document the processes and procedures that the CA employs for the validation of information contained in such fields and extensions in its CP and/or CPS.
CAs SHALL NOT issue a Certificate with:
- Extensions that do not apply in the context of the public Internet (such as an
extKeyUsagevalue for a service that is only valid in the context of a privately managed network), unless:
i. such value falls within an OID arc for which the Applicant demonstrates ownership, or
ii. the Applicant can otherwise demonstrate the right to assert the data in a public context; or - Field or extension values which have not been validated according to the processes and procedures described in these Requirements or the CA's CP and/or CPS.
7.1.2.4 Technically Constrained Precertificate Signing CA Certificate Profile
This Certificate Profile MUST be used when issuing a CA Certificate that will be used as a Precertificate Signing CA, as described in RFC 6962, Section 3.1. If a CA Certificate conforms to this profile, it is considered Technically Constrained.
A Precertificate Signing CA MUST only be used to sign Precertificates, as defined in Section 7.1.2.9. When a Precertificate Signing CA issues a Precertificate, it shall be interpreted as if the Issuing CA of the Precertificate Signing CA has issued a Certificate with a matching tbsCertificate of the Precertificate, after applying the modifications specified in RFC 6962, Section 3.2.
As noted in RFC 6962, Section 3.2, the signature field of a Precertificate is not altered as part of these modifications. As such, the Precertificate Signing CA MUST use the same signature algorithm as the Issuing CA when issuing Precertificates, and, correspondingly, MUST use a public key of the same public key algorithm as the Issuing CA, although MAY use a different CA Key Pair.
| Field | Description |
|---|---|
tbsCertificate |
|
version |
MUST be v3(2) |
serialNumber |
MUST be a non-sequential number greater than zero (0) and less than 2¹⁵⁹ containing at least 64 bits of output from a CSPRNG. |
signature |
See Section 7.1.3.2 |
issuer |
MUST be byte-for-byte identical to the subject field of the Issuing CA. See Section 7.1.4.1 |
validity |
See Section 7.1.2.10.1 |
subject |
See Section 7.1.2.10.2 |
subjectPublicKeyInfo |
The algorithm identifier MUST be byte-for-byte identical to the algorithm identifier of the subjectPublicKeyInfo field of the Issuing CA. See Section 7.1.3.1 |
issuerUniqueID |
MUST NOT be present |
subjectUniqueID |
MUST NOT be present |
extensions |
See Section 7.1.2.4.1 |
signatureAlgorithm |
Encoded value MUST be byte-for-byte identical to the tbsCertificate.signature. |
signature |
7.1.2.4.1 Technically Constrained Precertificate Signing CA Extensions
| Extension | Presence | Critical | Description |
| ---- | - | - | ----- |
| authorityKeyIdentifier | MUST | N | See Section 7.1.2.11.1 |
| basicConstraints | MUST | Y | See Section 7.1.2.10.4 |
| certificatePolicies | MUST | N | See Section 7.1.2.10.5 |
| crlDistributionPoints | MUST | N | See Section 7.1.2.11.2 |
| keyUsage | MUST | Y | See Section 7.1.2.10.7 |
| subjectKeyIdentifier | MUST | N | See Section 7.1.2.11.4 |
| extKeyUsage | MUST[^eku_ca] | N | See Section 7.1.2.4.2 |
| authorityInformationAccess | SHOULD | N | See Section 7.1.2.10.3 |
| nameConstraints | MAY | *[^name_constraints] | See Section 7.1.2.10.8 |
| Signed Certificate Timestamp List | MAY | N | See Section 7.1.2.11.3 |
| Any other extension | NOT RECOMMENDED | - | See Section 7.1.2.11.5 |
7.1.2.4.2 Technically Constrained Precertificate Signing CA Extended Key Usage
| Key Purpose | OID | Presence |
|---|---|---|
| Precertificate Signing Certificate | 1.3.6.1.4.1.11129.2.4.4 | MUST |
| Any other value | - | MUST NOT |