Выпуск Code Signing сертификата-Требования CAB Forum для верификации организации Украина ☎ +380672576220 

☎ +380443834054
☎ +380672576220
Ukrainian Symantec Partner
Ukrainian DigiCert Partner
Контакты
Правила выпуска Code Signing сертификатов
для верификации автора и защиты кода от изменения

Переход на сайт по продаже сертификатов SSL и подписи кода документов почты CSR
pKey
Установка
SSL
Цепочка
SSL
Проверка
SSL
Seal
SSL
Экспорт-Импорт
Конвертер
Code Sign
сертификаты
Email Smime
сертификаты
PDF и Word
сертификаты
База
знаний

Правила CodeSign сертификатов
Помощь
Index
1. Scope
2. Purpose
3. References
4. Definitions
5. Abbreviations and Acronyms
6. Conventions
7. Certificate Warranties and Representations
7.1Certificate Beneficiaries
7.2 Certificate Warranties
7.3 Applicant Warranty
8. Community and Applicability
8.1 Compliance
8.2 Certificate Policies
8.2.1 Implementation
8.2.2 Disclosure
8.3 Commitment to Comply
8.4 Trust model
9. Certificate Content and Profile
9.1 Issuer Information
9.2 Subject Information
9.2.1 Subject Alternative Name Extension
9.2.2 Subject Common Name Field
9.2.3 Subject Domain Component Field
9.2.4 Subject Distinguished Name Fields
9.2.5 Reserved
9.2.6 Subject Organizational Unit Field
9.2.7 Reserved
9.2.8 Other Subject Attributes
9.3 Certificate Policy Identification
9.3.1 Certificate Policy Identifiers
9.3.2 Root CA Requirements
9.3.3 Subordinate CA Certificates
9.3.4 Subscriber Certificates
9.4 Maximum Validity Period
9.5 Subscriber Public Key
9.6 Certificate Serial Number
9.7 Reserved
9.8 Reserved
10. Certificate Request
10.1 Documentation Requirements
10.2 Certificate Request
10.2.1 General
10.2.2 Request and Certification
10.2.3 Information Requirements
10.2.4 Subscriber Private Key
10.3 Subscriber Agreement
10.3.1 General
10.3.2 Agreement Requirements
10.3.3 Service Agreement Requirements for Signing Authorities
11. Verification Practices
11.1 Verification of Organizational Applicants
11.1.1 Organization Identity and Address
11.1.2 DBA/Tradename
11.1.3 Requester Authority
11.2 Verification of Individual Applicants
11.2.1 Individual Identity
11.2.2 Authenticity of Identity
11.3 Age of Certificate Data
11.4 Denied List
11.5 High Risk Certificate Requests
11.6 Data Source Accuracy
11.7 Processing High Risk Applications
11.8 Due Diligence
12. Certificate Issuance by a Root CA
13. Certificate Revocation and Status Checking
13.1 Revocation
13.1.1 Revocation Request
13.1.2 Certificate Problem Reporting
13.1.3 Investigation
13.1.4 Response
13.1.5 Reasons for Revoking a Subscriber Certificate
13.1.6 Reasons for Revoking a Subordinate CA Certificate
13.1.7 Certificate Revocation Date
13.2 Certificate Status Checking
14. Employees and Third Parties
14.1 Trustworthiness and Competence
14.2 Delegation of Functions to Registration Authorities and Subcontractors
14.2.1 General
14.2.2 Compliance Obligation
14.2.3 Allocation of Liability
15. Data Records
16. Data Security and Private Key Protection
16.1 Timestamp Authority Key Protection
16.2 Signing Service Requirements
16.3 Subscriber Private Key Protection
17. Audit (39)
17.1 Eligible Audit Schemes
17.2 Audit Period
17.3 Audit Report
17.4 Pre-Issuance Readiness Audit
17.5 Audit of Delegated Functions
17.6 Auditor Qualifications
17.7 Key Generation Ceremony
18. Liability and Indemnification
Appendix A - Minimum Cryptographic Algorithm and Key Size Requirements
Appendix B - Certificate Extensions (Normative)
Appendix C - User Agent Verification (Normative)
Appendix D - High Risk Regions of Concern

We are an Authorized Reseller for DigiCert™ SSL a WebTrust Certified
SSL Certificate Authority.

Appendix B
Certificate Extensions (Normative)

This appendix specifies the requirements for extensions in Certificates issued after the date of these guidelines (including Subordinate CA certificates)

(1) Root CA Certificates

As specified in Appendix A of the Baseline Requirements.

(2) Certificates for Subordinate CAs issuing Code Signing Certificates

A. certificatePolicies

This extension MUST be present and SHOULD NOT be marked critical. certificatePolicies:policyIdentifier (Required)

If the certificate is issued to a Subordinate CA that is not an Affiliate of the entity that controls the Root CA, then the set of policy identifiers MUST include a Policy Identifier, defined by the Subordinate CA, which indicates a Certificate Policy asserting the Subordinate CA's adherence to and compliance with these Requirements.

The following fields MUST be present if the Subordinate CA is not an Affiliate of the entity that controls the Root CA.

certificatePolicies:policyQualifiers:policyQualifierId

∙id-qt 1 [RFC 5280]
certificatePolicies:policyQualifiers:qualifier:cPSuri

∙HTTP URL for the Root CA's Certification Practice Statement

B. cRLDistributionPoint

This extension MUST be present, MUST NOT be marked critical, and MUST contain the HTTP URL of the CA’s CRL service.

C. authorityInformationAccess

This extension MUST be present and MUST NOT be marked critical. The extension MUST contain the HTTP URL of the CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1), and/or the HTTP URL for the Root CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2).

D. basicConstraints

This extension MUST appear as a critical extension in all CA certificates that contain Public Keys used to validate digital signatures on certificates. The cA field MUST be set true. The pathLenConstraint field MAY be present.

E. keyUsage

This extension MUST be present and MUST be marked critical. Bit positions for keyCertSign and cRLSign MUST be set. If the Subordinate CA Private Key is used for signing OCSP responses, then the digitalSignature bit MUST be set.

F. extkeyUsage (EKU)

The id-kp-codeSigning [RFC5280] value MUST be present.

The following EKUs MAY be present: documentSigning and emailProtection.

The value anyExtendedKeyUsage (2.5.29.37.0) or serverAuth (1.3.6.1.5.5.7.3.1) MUST NOT be present.

Other values SHOULD NOT be present. If any other value is present, the CA MUST have a business agreement with a Platform vendor requiring that EKU in order to issue a Platform- specific code signing certificate with that EKU.

This extension SHOULD be marked non-critical.

The CA MUST set all other fields and extensions in accordance to RFC 5280.

(3) Code Signing Certificates

A.certificatePolicies

This extension MUST be present and SHOULD NOT be marked critical. certificatePolicies:policyIdentifier (Required)

∙A Policy Identifier, defined by the Issuer, that indicates a Certificate Policy asserting the Issuer's adherence to and compliance with these Requirements.

certificatePolicies:policyQualifiers:policyQualifierId (Recommended)

∙id-qt 1 [RFC 5280] certificatePolicies:policyQualifiers:qualifier:cPSuri (Optional)

∙HTTP URL for the Subordinate CA's Certification Practice Statement

B. cRLDistributionPoint

This extension MAY be present. If present, it MUST NOT be marked critical, and it MUST contain the HTTP URL of the CA’s CRL service.

C. authorityInformationAccess

This extension MUST be present and MUST NOT be marked critical. The extension MUST contain the HTTP URL of the CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1) and the HTTP URL for the Root CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2).

D. basicConstraints (optional)

If present, the cA field MUST be set false.

E. keyUsage (required)

This extension MUST be present and MUST be marked critical. The bit positions for digitalSignature MUST be set. Bit positions for keyCertSign and cRLSign MUST NOT be set. All other bit positions SHOULD NOT be set.

F. extKeyUsage (EKU) (required)

The value id-kp-codeSigning [RFC5280] MUST be present.

The following EKUs MAY be present: documentSigning, lifetimeSigning, and emailProtection.

The value anyExtendedKeyUsage (2.5.29.37.0) or serverAuth (1.3.6.1.5.5.7.3.1) MUST NOT be present.

Other values SHOULD NOT be present. If any other value is present, the CA MUST have a business agreement with a Platform vendor requiring that EKU in order to issue a Platform- specific code signing certificate with that EKU.

The CA MUST set all other fields and extensions in accordance to RFC 5280.

(4) Certificates for Subordinate CAs issuing Timestamp Certificates

A. certificatePolicies

This extension MUST be present and SHOULD NOT be marked critical. certificatePolicies:policyIdentifier (Required)

If the certificate is issued to a Subordinate CA that is not an Affiliate of the entity that controls the Root CA, then the set of policy identifiers MUST include a Policy Identifier, defined by the Subordinate CA, which indicates a Certificate Policy asserting the Subordinate CA's adherence to and compliance with these Requirements.

The following fields MUST be present if the Subordinate CA is not an Affiliate of the entity that controls the Root CA.

certificatePolicies:policyQualifiers:policyQualifierId

∙id-qt 1 [RFC 5280] certificatePolicies:policyQualifiers:qualifier:cPSuri

∙HTTP URL for the Root CA's Certification Practice Statement

B. cRLDistributionPoint

This extension MUST be present, MUST NOT be marked critical, and MUST contain the HTTP URL of the CA’s CRL service.

C. authorityInformationAccess

This extension MUST be present and MUST NOT be marked critical. The extension MUST contain the HTTP URL of the CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1), and/or the HTTP URL for the Root CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2).

D. basicConstraints

This extension MUST appear as a critical extension in all CA certificates that contain Public Keys used to validate digital signatures on certificates. The cA field MUST be set true. The pathLenConstraint field MAY be present.

E. keyUsage

This extension MUST be present and MUST be marked critical. Bit positions for keyCertSign and cRLSign MUST be set. If the Subordinate CA Private Key is used for signing OCSP responses, then the digitalSignature bit MUST be set.

F. extkeyUsage (EKU)

The id-kp-timeStamping [RFC5280] value MUST be present.

The value anyExtendedKeyUsage (2.5.29.37.0) MUST NOT be present.

Other values SHOULD NOT be present. If any other value is present, the CA MUST have a business agreement with a Platform vendor requiring that EKU in order to issue a Platform- specific code signing certificate with that EKU.

This extension SHOULD be marked non-critical.

The CA MUST set all other fields and extensions in accordance to RFC 5280.

(5) Timestamp Certificates

A. certificatePolicies

This extension MUST be present and SHOULD NOT be marked critical. certificatePolicies:policyIdentifier (Required)

∙A Policy Identifier, defined by the Issuer, that indicates a Certificate Policy asserting the Issuer's adherence to and compliance with these Requirements.

certificatePolicies:policyQualifiers:policyQualifierId (Recommended)

∙id-qt 1 [RFC 5280] certificatePolicies:policyQualifiers:qualifier:cPSuri (Optional)

∙ HTTP URL for the Subordinate CA's Certification Practice Statement

B. cRLDistributionPoint

This extension MAY be present. If present, it MUST NOT be marked critical, and it MUST contain the HTTP URL of the CA’s CRL service.

C. authorityInformationAccess

This extension MUST be present and MUST NOT be marked critical. The extension MUST contain the HTTP URL of the CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1) and the HTTP URL for the Root CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2).

D. basicConstraints (optional)

If present, the cA field MUST be set false.

E. keyUsage (required)

This extension MUST be present and MUST be marked critical. The bit positions for digitalSignature MUST be set. Bit positions for keyCertSign and cRLSign MUST NOT be set. All other bit positions SHOULD NOT be set.

F. extKeyUsage (EKU) (required)

The value id-kp-timeStamping [RFC5280] MUST be present and MUST be marked critical. The value anyExtendedKeyUsage (2.5.29.37.0) MUST NOT be present.

Other values SHOULD NOT be present. If any other value is present, the CA MUST have a business agreement with a Platform vendor requiring that EKU in order to issue a Platform- specific code signing certificate with that EKU.

The CA MUST set all other fields and extensions in accordance to RFC 5280. 


 DV SSL OV Сертификаты подтверждающие только Домен OV SSL OV Сертификаты подтверждающие Домен и Организацию EV SSL EV Зеленые усиленные сертификаты с указанием названия Организации подтверждают Домен и Организацию WC SSL wildcard Сертификаты защищающие все субдомены. Класс DV OV и EV SAN SSL SAN Мульти доменные  сертификаты защищающие несколько FQDN Доменов. Класс DV OV и EV PRO SSL SGC PRO сертификаты с технологией  Server Gated Cryptography. Класс  OV и EV CodeSign Сертификаты для подписи приложений и програмного кода MS, Java. Класс  OV и EV Email Сертификаты для подписи емаил smime. Класс  DV OV PDF Сертификаты для подписи документов PDF. Класс  OV PV Wi-Fi Сертификаты DigiCert для IoT и Wi Fi IoT Сертификаты DigiCert для IIoT ALL Все сертификаты Symantec Familie: Symantec, thawte, GeoTrust, DigiCert Купить сертификат

NO russia - мы не осблуживаем резидентов из россии Copyright © 1997-2018 adgrafics