Руководство по выпуску и управлению EV SSL сертификатов с расширенной валидацией

9 EV Certificate Content and Profile

This section sets forth minimum requirements for the content of the EV Certificate as they relate to the identity of the CA and the Subject of the EV Certificate.

9.1 Issuer Information

Issuer Information listed in an EV Certificate MUST comply with Section 9.1 of the Baseline Requirements.

9.2 Subject Information

Subject to the requirements of these Guidelines, the EV Certificate and certificates issued to Subordinate CAs that are not controlled by the same entity as the CA MUST include the following information about the Subject organization in the fields listed:

9.2.1 Subject Organization Name Field
Certificate field: subject:organizationName (OID 2.5.4.10 )
Required/Optional: Required
Contents: This field MUST contain the Subject’s full legal organization name as listed in the official records of the Incorporating or Registration Agency in the Subject’s Jurisdiction of Incorporation or Registration or as otherwise verified by the CA as provided herein. A CA MAY abbreviate the organization prefixes or suffixes in the organization name, e.g., if the official record shows “Company Name Incorporated” the CA MAY include “Company Name, Inc.” When abbreviating a Subject’s full legal name as allowed by this subsection, the CA MUST use abbreviations that are not misleading in the Jurisdiction of Incorporation or Registration. In addition, an assumed name or DBA name used by the Subject MAY be included at the beginning of this field, provided that it is followed by the full legal organization name in parenthesis. If the combination of names or the organization name by itself exceeds 64 characters, the CA MAY abbreviate parts of the organization name, and/or omit non-material words in the organization name in such a way that the text in this field does not exceed the 64-character limit; provided that the CA checks this field in accordance with section 10.11.1 and a Relying Party will not be misled into thinking that they are dealing with a different organization. In cases where this is not possible, the CA MUST NOT issue the EV Certificate.

9.2.2 Subject Alternative Name Extension
Certificate field: subjectAltName:dNSName
Required/Optional: Required
Contents: This extenstion MUST contain one or more host Domain Name(s) owned or controlled by the Subject and to be associated with the Subject’s server. Such server MAY be owned and operated by the Subject or another entity (e.g., a hosting service). Wildcard certificates are not allowed for EV Certificates.

9.2.3 Subject Common Name Field
Certificate field: subject:commonName (OID: 2.5.4.3)
Required/Optional: Deprecated (Discouraged, but not prohibited)
Contents: If present, this field MUST contain a single Domain Name(s) owned or controlled by the Subject and to be associated with the Subject’s server. Such server MAY be owned and operated by the Subject or another entity (e.g., a hosting service). Wildcard certificates are not allowed for EV Certificates.

9.2.4 Subject Business Category Field
Certificate field: subject:businessCategory (OID: 2.5.4.15)
Required/Optional: Required
Contents: This field MUST contain one of the following strings: \"Private Organization\", \"Government Entity\", \"Business Entity\", or \"Non-Commercial Entity\" depending upon whether the Subject qualifies under the terms of Section 8.2.2, 8.2.3, 8.2.4 or 8.2.5 of these Guidelines, respectively.

9.2.5 Subject Jurisdiction of Incorporation or Registration Field

Certificate fields:
Locality (if required):
subject:jurisdictionOfIncorporationLocalityName (OID: 1.3.6.1.4.1.311.60.2.1.1)
ASN.1 - X520LocalityName as specified in RFC 5280
State or province (if required):
subject:jurisdictionOfIncorporationStateOrProvinceName (OID: 1.3.6.1.4.1.311.60.2.1.2)
ASN.1 - X520StateOrProvinceName as specified in RFC 5280

Country:
subject:jurisdictionOfIncorporationCountryName (OID: 1.3.6.1.4.1.311.60.2.1.3)
ASN.1 – X520countryName as specified in RFC 5280
Required/Optional: Required
Contents: These fields MUST NOT contain information that is not relevant to the level of the Incorporating Agency or Registration Agency. For example, the Jurisdiction of Incorporation for an Incorporating Agency or Jurisdiction of Registration for a Registration Agency that operates at the country level MUST include the country information but MUST NOT include the state or province or locality information. Similarly, the jurisdiction for the applicable Incorporating Agency or Registration Agency at the state or province level MUST include both country and state or province information, but MUST NOT include locality information. And, the jurisdiction for the applicable Incorporating Agency or Registration Agency at the locality level MUST include the country and state or province information, where the state or province regulates the registration of the entities at the locality level, as well as the locality information. Country information MUST be specified using the applicable ISO country code. State or province or locality information (where applicable) for the Subject’s Jurisdiction of Incorporation or Registration MUST be specified using the full name of the applicable jurisdiction.

9.2.6 Subject Registration Number Field
Certificate field: Subject:serialNumber (OID: 2.5.4.5)
Required/Optional: Required
Contents: For Private Organizations, this field MUST contain the Registration (or similar) Number assigned to the Subject by the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration, as appropriate. If the Jurisdiction of Incorporation or Registration does not provide a Registration Number, then the date of Incorporation or Registration SHALL be entered into this field in any one of the common date formats.

For Government Entities that do not have a Registration Number or readily verifiable date of creation, the CA SHALL enter appropriate language to indicate that the Subject is a Government Entity.

For Business Entities, the Registration Number that was received by the Business Entity upon government registration SHALL be entered in this field. For those Business Entities that register with an Incorporating Agency or Registration Agency in a jurisdiction that does not issue numbers pursuant to government registration, the date of the registration SHALL be entered into this field in any one of the common date formats.

9.2.7 Subject Physical Address of Place of Business Field

Certificate fields:
Number and street: subject:streetAddress (OID: 2.5.4.9)
City or town: subject:localityName (OID: 2.5.4.7)
State or province (where applicable): subject:stateOrProvinceName (OID: 2.5.4.8)
Country: subject:countryName (OID: 2.5.4.6)
Postal code: subject:postalCode (OID: 2.5.4.17)
Required/Optional: City, state, and country – Required; Street and postal code – Optional
Contents: This field MUST contain the address of the physical location of the Subject’s Place of Business.

9.2.8 Other Subject Attributes

All other optional attributes, when present within the subject field, MUST contain information that has been verified by the CA. CAs SHALL NOT include Fully-Qualified Domain Names in Subject attributes except as specified in Sections 9.2.1 and SHALL NOT include any Subject Organization Information except as specified in Section 9.2. Optional subfields within the Subject field MUST either contain information verified by the CA or MUST be left empty. Metadata such as ‘.’, ‘-‘, and ‘ ‘ characters, and/or any other indication that the field is empty, absent or incomplete, MUST not be used.

9.3 Certificate Policy Identification

9.3.1 EV Certificate Policy Identification Requirements

This section sets forth minimum requirements for the contents of EV Certificates as they relate to the identification of EV Certificate Policy.

9.3.2 EV Subscriber Certificates

Each EV Certificate issued by the CA to a Subscriber MUST contain a policy identifier defined by the CA in the certificate’s certificatePolicies extension that: (i) indicates which CA policy statement relates to that Certificate, (ii) asserts the CA’s adherence to and compliance with these Guidelines, and (iii), by pre-agreement with the Application Software Supplier, marks the Certificate as being an EV Certificate.

9.3.3 Root CA Certificates

The Application Software Supplier identifies Root CAs that are approved to issue EV Certificates by storing EV policy identifiers in metadata associated with Root CA Certificates.

9.3.4 EV Subordinate CA Certificates
(1) Certificates issued to Subordinate CAs that are not controlled by the issuing CA MUST contain one or more policy identifiers defined by the issuing CA that explicitly identify the EV Policies that are implemented by the Subordinate CA.
(2) Certificates issued to Subordinate CAs that are controlled by the Root CA MAY contain the special anyPolicy identifier (OID: 2.5.29.32.0).

9.3.5 Subscriber Certificates

A Certificate issued to a Subscriber MUST contain one or more policy identifier(s), defined by the Issuing CA, in the Certificate’s certificatePolicies extension that indicates adherence to and compliance with these Guidelines. Each CA SHALL document in its Certificate Policy or Certification Practice Statement that the Certificates it issues containing the specified policy identifier(s) are managed in accordance with these Guidelines.

9.4 Maximum Validity Period For EV Certificate

The validity period for an EV Certificate SHALL NOT exceed twenty seven months. It is RECOMMENDED that EV Subscriber Certificates have a maximum validity period of twelve months.

9.5 Subscriber Public Key

The requirements in Section 9.5 of the Baseline requirements apply equally to EV Certificates.

9.6 Certificate Serial Number

The requirements in Section 9.6 of the Baseline requirements apply equally to EV Certificates.

9.7 Additional Technical Requirements for EV Certificates

Both Appendix A – Minimum Cryptographic Algorithms of the Baseline Requirements and Key Sizes and Appendix B – Certificate Extensions of the Baseline Requirements apply to EV Certificates with the following exceptions:
1) If a Subordinate CA Certificates is issued to a Subordinate CA not controlled by the entity that controls the Root CA, the policy identifiers in the certificatePolicies extension MUST include the CA’s Extended Validation policy identifier. Otherwise, it MAY contain the anyPolicy identifier.
2) The following fields MUST be present if the Subordinate CA is not controlled by the entity that controls the Root CA.
certificatePolicies:policyQualifiers:policyQualifierId
id-qt 1 [RFC 5280]
certificatePolicies:policyQualifiers:qualifier:cPSuri
HTTP URL for the Root CA's Certification Practice Statement
3) The certificatePolicies extension in EV Certificates issued to Subscribers MUST include the following:
certificatePolicies:policyIdentifier (Required)
The Issuer’s EV policy identifier
certificatePolicies:policyQualifiers:policyQualifierId (Required)
id-qt 1 [RFC 5280]
certificatePolicies:policyQualifiers:qualifier:cPSuri (Required)
HTTP URL for the Subordinate CA's Certification Practice Statement
4) The cRLDistribution Point extension MUST be present in Subscriber Certificates if the certificate does not specify OCSP responder locations in an authorityInformationAccess extension.