Certificate profiles
Entrust provides the certificate profiles described in the following sections.
See below for the practice statement on these profiles.
- Version numbers
- Certificate extensions
- Algorithm object identifiers
- Name forms
- Name Constraints
- Certificate Policy Object Identifier
- Usage of policy constraints extension
- Policy qualifiers syntax and semantics
- Processing semantics for the critical certificate policy extension
Version numbers
The CA issues X.509 v3 Certificates (version field populated with integer 2).
Certificate extensions
Certificate extensions meet RFC 5280 specifications.
Algorithm object identifiers
Certificates issued under this CPS must use at least one the following OIDs for signatures.
| Signature algorithm ID | OID |
|---|---|
| sha256WithRSAEncryption | {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 11} |
| sha384WithRSAEncryption | {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 12} |
| sha512WithRSAEncryption | {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 13} |
| ecdsa-with-SHA256 | {iso(1) member-body(2) us(840) ansi-x962(10045) signatures(4) ecdsa-with-SHA2(3) 2} |
| ecdsa-with-SHA384 | ecdsa-with-SHA384 {iso(1) member-body(2) us(840) ansi-x962(10045) signatures(4) ecdsa-with-SHA2(3) 3} |
| ecdsa-with-SHA512 | ecdsa-with-SHA512 {iso(1) member-body(2) us(840) ansi-x962(10045) signatures(4) ecdsa-with-SHA2(3) 4} |
Certificates under this CPS use the following OIDs to identify the algorithm that generated the subject key.
| Algorithm ID | OID |
|---|---|
| rsaEncryption | {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1} |
| ecPublicKey | {iso(1) member-body(2) us(840) ansi-x962(10045) keyType(2) 1} |
For certificates encrypted using the ECDSA (ecPublicKey) algorithm, the following OIDs identify the EC named curves.
| Algorithm ID | OID |
|---|---|
| ECDSA P-256 | {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) 7} |
| ECDSA P-384 | {iso(1) identified-organization(3) certicom(132) curve(0) 34} |
| ECDSA P-521 | {iso(1) identified-organization(3) certicom(132) curve(0) 35} |
Name forms
The content of the certificate issuer DN field will match the subject DN of the issuing CA to support name chaining as specified in RFC 5280, section 4.1.2.4.
Name Constraints
CA Certificates do not use the nameConstraints extension field.
Certificate Policy Object Identifier
See below for the practice statement on certificate policy object identifiers.
-
Reserved certificate policy identifiers: No stipulation.
-
Root CA certificates: Root CA Certificates do not contain the certificate policy object identifiers.
-
Issuing CA certificates: No stipulation.
-
Subscriber certificates: No stipulation.
Usage of policy constraints extension
CA certificates do not use the policyConstraints extension.
Policy qualifiers syntax and semantics
No stipulation.
Processing semantics for the critical certificate policy extension
PKIaaS marks the certificate policies extension as Not Critical.