intermediate
Entrust provides an intermediate-ca-subord profile for the certificate authorities that are neither root nor certificate issuing certificate authorities.
⚠ These profiles are not exposed nor configurable. External root CAs are not covered by these profiles.
Certificate fields
The intermediate-ca-subord profile sets the following certificate fields.
| Field | Value |
|---|---|
| Issuer | Customer’s online root CA |
| Subject | No constraint |
| Validity period | Less than or equal to 10 years |
Certificate critical extensions
The intermediate-ca-subord profile sets the following certificate critical extensions.
| Extension | basic-ca-subord |
|---|---|
| Basic Constraints | cA=True |
| Extended Key Usage | Never present |
| Key Usage | digitalSignature, keyCertSign, cRLSign |
Certificate non-critical extensions
The intermediate-ca-subord profile sets the following non-critical certificate extensions.
| Extension | basic-ca-subord |
|---|---|
| AIA | Supplied when the customer enables OCSP on CA creation |
| Authority Key Identifier | Matches the subjectKeyIdentifier of the signing certificate |
| CRL Distribution Points | Always present |
| OCSP | Never present |
| Subject Key Identifier | «The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2 |