我的书签
添加书签
移除书签- 7. CERTIFICATE, CRL, AND OCSP PROFILES
- 7.1 Certificate profile
- Root CA Certificate
- Intermediate CA Certificate
- DV-SSL End Entity Certificate
- Root OCSP Signing Certificate
- 7.1.1 Version number(s)
- 7.1.2 Certificate extensions
- 7.1.3 Algorithm object identifiers
- 7.1.4 Name forms
- 7.1.5 Name constraints
- 7.1.6 Certificate policy object identifier
- 7.1.7 Usage of Policy Constraints extension
- 7.1.8 Policy qualifiers syntax and semantics
- 7.1.9 Processing semantics for the critical Certificate Policies extension
- 7.2 CRL profile
- 7.3 OCSP profile
- 7.1 Certificate profile
7. CERTIFICATE, CRL, AND OCSP PROFILES
7.1 Certificate profile
All fields are as specified in RFC5280, including fields and extensions not specifically mentioned. Extensions are not marked critical unless specifically described here as critical.
Root CA Certificate
| Field or extension | Value |
|---|---|
| Serial Number | Must be unique, with 64 bits of output from a CSPRNG |
| Issuer Distinguished Name | C=US, O=Internet Security Research Group, CN=ISRG Root X<n> where n is an integer representing the instance of the Root CA Certificate. For example, ISRG Root X1, ISRG Root X2, etc. |
| Subject Distinguished Name | Same as Issuer DN |
| Validity Period | Up to 25 years |
| Basic Constraints | Critical. cA=True, pathLength constraint absent |
| Key Usage | Critical. keyCertSign, cRLSign |
Intermediate CA Certificate
| Field or extension | Value |
|---|---|
| Serial Number | Must be unique, with 64 bits of output from a CSPRNG |
| Issuer Distinguished Name | Derived from Issuer certificate |
| Subject Distinguished Name | C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X<n> where n is an integer representing the instance of the Subordinate CA Certificate |
| Validity Period | Up to 8 years |
| Basic Constraints | Critical. cA=True, pathLength constraint 0 |
| Key Usage | Critical. keyCertSign, cRLSign, digitalSignature |
| Extended Key Usage | TLS Server Authentication, TLS Client Authentication |
| Certificate Policies | CAB Forum Domain Validated (2.23.140.1.2.1) ISRG Domain Validated (1.3.6.1.4.1.44947.1.1.1) Policy Qualifier Id=CPS Qualifier: Pointer to this CPS |
| Authority Information Access | Contains CA Issuers URL and OCSP URL. URLs vary based on Issuer. |
| CRL Distribution Points | Contains a CRL URL. URL varies based on Issuer. |
DV-SSL End Entity Certificate
| Field or extension | Value |
|---|---|
| Serial Number | Must be unique, with 64 bits of output from a CSPRNG |
| Issuer Distinguished Name | Derived from Issuer certificate |
| Subject Distinguished Name | CN=one of the values from the Subject Alternative Name extension |
| Validity Period | 90 days |
| Basic Constraints | Critical. cA=False |
| Key Usage | Critical. digitalSignature, keyEncipherment |
| Extended Key Usage | TLS Server Authentication, TLS Client Authentication |
| Certificate Policies | CAB Forum Domain Validated (2.23.140.1.2.1) ISRG Domain Validated (1.3.6.1.4.1.44947.1.1.1) CPS Qualifier: Pointer to this CPS |
| Authority Information Access | Contains CA Issuers URL and OCSP URL. URLs vary based on Issuer. |
| Subject Public Key | RSA with modulus between 2048 and 4096, inclusive; or namedCurve P-256; or namedCurve P-384 |
| Subject Alternative Name | A sequence of 1 to 100 dNSNames |
| TLS Feature | Contains status_request if requested by the subscriber in the CSR |
| Precertificate poison | Per RFC 6962. In Precertificates only. |
| Signed Certificate Timestamp List | Per RFC 6962. In final certificates only. |
Root OCSP Signing Certificate
Signed by a Root CA Certificate, these Certificates sign OCSP responses for Intermediate CA Certificates.
| Field or extension | Value |
|---|---|
| Serial Number | Must be unique, with 64 bits of output from a CSPRNG |
| Issuer Distinguished Name | C=US, O=Internet Security Research Group, CN=ISRG Root X<n> |
| Subject Distinguished Name | C=US, O=Internet Security Research Group, CN=ISRG Root OCSP X<n> |
| Validity Period | 5 years |
| Basic Constraints | Critical. cA=False |
| Key Usage | Critical. digitalSignature |
| Extended Key Usage | Critical. OCSPSigning |
| No Check | Present |
7.1.1 Version number(s)
All certificates use X.509 version 3.
7.1.2 Certificate extensions
See section 7.1.
7.1.3 Algorithm object identifiers
| Name | Object identifier |
|---|---|
| sha256WithRSAEncryption | 1.2.840.113549.1.1.11 |
7.1.4 Name forms
See ISRG Certificate Policy.
7.1.5 Name constraints
No stipulation.
7.1.6 Certificate policy object identifier
See section 7.1.
7.1.7 Usage of Policy Constraints extension
Not applicable.
7.1.8 Policy qualifiers syntax and semantics
See section 7.1.
7.1.9 Processing semantics for the critical Certificate Policies extension
Not applicable.
7.2 CRL profile
| Field or Extension | Value |
|---|---|
| Version | V2 |
| Signature Algorithm | sha256WithRSAEncryption |
| ThisUpdate | The date and time when the Certificate revocation list was issued. |
| NextUpdate | ThisUpdate + 30 days |
| RevokedCertificates | Contains: userCertificate, revocationDate, reasonCode |
| CRLnumber | The serial number of this CRL in an incrementally increasing sequence of CRLs. |
7.2.1 Version number(s)
See section 7.2.
7.2.2 CRL and CRL entry extensions
No stipulation.
7.3 OCSP profile
ISRG OCSP responders implement the RFC 5019 profile of RFC 6960.
7.3.1 Version number(s)
No stipulation.
7.3.2 OCSP extensions
No stipulation.
当前内容版权归 Let's Encrypt 或其关联方所有,如需对内容或内容相关联开源项目进行关注与资助,请访问 Let's Encrypt .
