Appendix B
Certificate Extensions (Normative)
This appendix specifies the requirements for extensions in Certificates issued after the date of these guidelines (including Subordinate CA certificates)
(1) Root CA Certificates
As specified in Appendix A of the Baseline Requirements.
(2) Certificates for Subordinate CAs issuing Code Signing Certificates
A. certificatePolicies
This extension MUST be present and SHOULD NOT be marked critical. certificatePolicies:policyIdentifier (Required)
If the certificate is issued to a Subordinate CA that is not an Affiliate of the entity that controls the Root CA, then the set of policy identifiers MUST include a Policy Identifier, defined by the Subordinate CA, which indicates a Certificate Policy asserting the Subordinate CA's adherence to and compliance with these Requirements.
The following fields MUST be present if the Subordinate CA is not an Affiliate of the entity that controls the Root CA.
certificatePolicies:policyQualifiers:policyQualifierId
∙id-qt 1 [RFC 5280]
certificatePolicies:policyQualifiers:qualifier:cPSuri
∙HTTP URL for the Root CA's Certification Practice Statement
B. cRLDistributionPoint
This extension MUST be present, MUST NOT be marked critical, and MUST contain the
HTTP URL of the CA’s CRL service.
C. authorityInformationAccess
This extension MUST be present and MUST NOT be marked critical. The extension MUST contain the HTTP URL of the CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1), and/or the HTTP URL for the Root CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2).
D. basicConstraints
This extension MUST appear as a critical extension in all CA certificates that contain Public Keys used to validate digital signatures on certificates. The cA field MUST be set true. The pathLenConstraint field MAY be present.
E. keyUsage
This extension MUST be present and MUST be marked critical. Bit positions for keyCertSign and cRLSign MUST be set. If the Subordinate CA Private Key is used for signing OCSP responses, then the digitalSignature bit MUST be set.
F. extkeyUsage (EKU)
The id-kp-codeSigning [RFC5280] value MUST be present.
The following EKUs MAY be present: documentSigning and emailProtection.
The value anyExtendedKeyUsage (2.5.29.37.0) or serverAuth (1.3.6.1.5.5.7.3.1) MUST NOT be present.
Other values SHOULD NOT be present. If any other value is present, the CA MUST have a business agreement with a Platform vendor requiring that EKU in order to issue a Platform- specific code signing certificate with that EKU.
This extension SHOULD be marked non-critical.
The CA MUST set all other fields and extensions in accordance to RFC 5280.
(3) Code Signing Certificates
A.certificatePolicies
This extension MUST be present and SHOULD NOT be marked critical. certificatePolicies:policyIdentifier (Required)
∙A Policy Identifier, defined by the Issuer, that indicates a Certificate Policy asserting the Issuer's adherence to and compliance with these Requirements.
certificatePolicies:policyQualifiers:policyQualifierId (Recommended)
∙id-qt 1 [RFC 5280] certificatePolicies:policyQualifiers:qualifier:cPSuri (Optional)
∙HTTP URL for the Subordinate CA's Certification Practice Statement
B. cRLDistributionPoint
This extension MAY be present. If present, it MUST NOT be marked critical, and it MUST contain the HTTP URL of the CA’s CRL service.
C. authorityInformationAccess
This extension MUST be present and MUST NOT be marked critical. The extension MUST contain the HTTP URL of the CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1) and the HTTP URL for the Root CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2).
D. basicConstraints (optional)
If present, the cA field MUST be set false.
E. keyUsage (required)
This extension MUST be present and MUST be marked critical. The bit positions for digitalSignature MUST be set. Bit positions for keyCertSign and cRLSign MUST NOT be set. All other bit positions SHOULD NOT be set.
F. extKeyUsage (EKU) (required)
The value id-kp-codeSigning [RFC5280] MUST be present.
The following EKUs MAY be present: documentSigning, lifetimeSigning, and emailProtection.
The value anyExtendedKeyUsage (2.5.29.37.0) or serverAuth (1.3.6.1.5.5.7.3.1) MUST NOT be present.
Other values SHOULD NOT be present. If any other value is present, the CA MUST have a business agreement with a Platform vendor requiring that EKU in order to issue a Platform- specific code signing certificate with that EKU.
The CA MUST set all other fields and extensions in accordance to RFC 5280.
(4) Certificates for Subordinate CAs issuing Timestamp Certificates
A. certificatePolicies
This extension MUST be present and SHOULD NOT be marked critical. certificatePolicies:policyIdentifier (Required)
If the certificate is issued to a Subordinate CA that is not an Affiliate of the entity that controls the Root CA, then the set of policy identifiers MUST include a Policy Identifier, defined by the Subordinate CA, which indicates a Certificate Policy asserting the Subordinate CA's adherence to and compliance with these Requirements.
The following fields MUST be present if the Subordinate CA is not an Affiliate of the entity that controls the Root CA.
certificatePolicies:policyQualifiers:policyQualifierId
∙id-qt 1 [RFC 5280] certificatePolicies:policyQualifiers:qualifier:cPSuri
∙HTTP URL for the Root CA's Certification Practice Statement
B. cRLDistributionPoint
This extension MUST be present, MUST NOT be marked critical, and MUST contain the HTTP URL of the CA’s CRL service.
C. authorityInformationAccess
This extension MUST be present and MUST NOT be marked critical. The extension MUST contain the HTTP URL of the CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1), and/or the HTTP URL for the Root CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2).
D. basicConstraints
This extension MUST appear as a critical extension in all CA certificates that contain Public Keys used to validate digital signatures on certificates. The cA field MUST be set true. The pathLenConstraint field MAY be present.
E. keyUsage
This extension MUST be present and MUST be marked critical. Bit positions for keyCertSign and cRLSign MUST be set. If the Subordinate CA Private Key is used for signing OCSP responses, then the digitalSignature bit MUST be set.
F. extkeyUsage (EKU)
The id-kp-timeStamping [RFC5280] value MUST be present.
The value anyExtendedKeyUsage (2.5.29.37.0) MUST NOT be present.
Other values SHOULD NOT be present. If any other value is present, the CA MUST have a business agreement with a Platform vendor requiring that EKU in order to issue a Platform- specific code signing certificate with that EKU.
This extension SHOULD be marked non-critical.
The CA MUST set all other fields and extensions in accordance to RFC 5280.
(5) Timestamp Certificates
A. certificatePolicies
This extension MUST be present and SHOULD NOT be marked critical. certificatePolicies:policyIdentifier (Required)
∙A Policy Identifier, defined by the Issuer, that indicates a Certificate Policy asserting the Issuer's adherence to and compliance with these Requirements.
certificatePolicies:policyQualifiers:policyQualifierId (Recommended)
∙id-qt 1 [RFC 5280] certificatePolicies:policyQualifiers:qualifier:cPSuri (Optional)
∙ HTTP URL for the Subordinate CA's Certification Practice Statement
B. cRLDistributionPoint
This extension MAY be present. If present, it MUST NOT be marked critical, and it MUST contain the HTTP URL of the CA’s CRL service.
C. authorityInformationAccess
This extension MUST be present and MUST NOT be marked critical. The extension MUST contain the HTTP URL of the CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1) and the HTTP URL for the Root CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2).
D. basicConstraints (optional)
If present, the cA field MUST be set false.
E. keyUsage (required)
This extension MUST be present and MUST be marked critical. The bit positions for digitalSignature MUST be set. Bit positions for keyCertSign and cRLSign MUST NOT be set. All other bit positions SHOULD NOT be set.
F. extKeyUsage (EKU) (required)
The value id-kp-timeStamping [RFC5280] MUST be present and MUST be marked critical. The value anyExtendedKeyUsage (2.5.29.37.0) MUST NOT be present.
Other values SHOULD NOT be present. If any other value is present, the CA MUST have a business agreement with a Platform vendor requiring that EKU in order to issue a Platform- specific code signing certificate with that EKU.
The CA MUST set all other fields and extensions in accordance to RFC 5280.
| 
OV 
Купить сертификат
