basic
Entrust provides the following basic profiles for authorities.
| Profile | Authority type |
|---|---|
basic-ca-root |
Root certificate authority |
basic-ocsp |
Validation authority |
See below a description of these profiles.
⚠ These profiles are not exposed nor configurable. External root CAs are not covered by these profiles.
Certificate fields
Entrust authority profiles set the following certificate fields.
| Field | basic-ca-root | basic-ocsp | |
|---|---|---|---|
| Issuer | Self-signed | Customer’s online root/issuing CA | |
| Subject | No constraint | No constraint | |
| Validity period | Less than or equal to 20 years | 30 days |
Certificate critical extensions
Entrust authority profiles set the following certificate critical extensions.
| Extension | basic-ca-root | basic-ocsp | |
|---|---|---|---|
| Basic Constraints | cA=True |
cA = False |
|
| Extended Key Usage | Never present | OCSP Signing | |
| Key Usage | digitalSignature, keyCertSign, cRLSign |
digitalSignature, keyCertSign, cRLSign |
Certificate non-critical extensions
Entrust authority profiles set the following non-critical certificate extensions.
| Extension | basic-ca-root | basic-ocsp | |
|---|---|---|---|
| AIA | Never present | Always present | |
| Authority Key Identifier | Never present | Matches the subjectKeyIdentifier of the signing certificate |
|
| CRL Distribution Points | Never present (not applicable) | Always present | |
| OCSP | Never present | No check | |
| Subject Key Identifier | «The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2 | «The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2 |