cmp
Entrust PKIaaS provides the following CMPv2 certificate profiles.
- cmp-digital-signature
- cmp-digital-signature-key-encipherment
- cmp-key-encipherment
- cmp-non-repudiation
These profiles support the following features.
Use cases
All CMPv2 certificate profiles support the CA Gateway API use case.
Key usages
See below the Key Usage extension values supported by each CMPv2 profile.
| Profile | Key Usage |
|---|---|
cmp-digital-signature |
Digital Signature |
cmp-digital-signature-key-encipherment |
Digital Signature, Key Encipherment |
cmp-key-encipherment |
Key Encipherment |
cmp-non-repudiation |
Digital Signature, Non-Repudiation |
Request extensions
All CMPv2 certificate profiles support the following extensions in the request.
| Extension name | Extension OID |
|---|---|
| Application Policies | 1.3.6.1.4.1.311.21.10 |
| Certificate Policies | 2.5.29.32 |
| Extended Key Usage | 2.5.29.37 |
| MSTemplateName | 1.3.6.1.4.1.311.20.2 |
| MSTemplateOID | 1.3.6.1.4.1.311.21.7 |
| Smime Capabilities | 1.2.840.113549.1.9.15 |
| szOID_NTDS_CA_SECURITY_EXT | 1.3.6.1.4.1.311.25.2 |
Certificate fields
All CMPv2 certificate profiles set the following certificate fields.
| Field | Value |
|---|---|
| Issuer | Customer’s subordinate issuing CA. |
| Subject | No constraint |
| Validity period | Less than or equal to the expiry of the issuing CA. Defaults to 1 year if not specified in the request. |
Certificate extensions
The CMPv2 certificate profiles set the following certificate extensions.
| Extension | Critical | Value |
|---|---|---|
| AIA | No | Supplied if the customer enables OCSP when creating the CA |
| Authority Key Identifier | No | Matches the subjectKeyIdentifier of the signing certificate |
| Basic Constraints | Yes | cA=False |
| CRL Distribution Points | No | Always present |
| Subject Alternative Name | No | No constraints |
| Subject Key Identifier | No | «The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2 |
Distinguished names
Entrust PKIaaS has no restriction on Distinguished Names (DNs) per certificate profile. All certificate profiles support the following identifiers.
| Alias | OID |
|---|---|
| CN, CommonName | 2.5.4.3 |
| SN, SurName | 2.5.4.4 |
| SERIALNUMBER, DeviceSerialNumber | 2.5.4.5 |
| C, Country | 2.5.4.6 |
| L, Locality | 2.5.4.7 |
| ST, S, State | 2.5.4.8 |
| STREET, StreetAddress | 2.5.4.9 |
| O, Org, Organization | 2.5.4.10 |
| OU, OrganizationalUnit, OrganizationUnit, OrgUnit | 2.5.4.11 |
| T, Title | 2.5.4.12 |
| BUSINESSCATEGORY | 2.5.4.15 |
| POSTALCODE | 2.5.4.17 |
| givenName, G | 2.5.4.42 |
| I, Initials | 2.5.4.43 |
| ORGANIZATIONIDENTIFIER | 2.5.4.97 |
| UID | 0.9.2342.19200300.100.1.1 |
| DC, DomainComponent | 0.9.2342.19200300.100.1.25 |
| Email, E | 1.2.840.113549.1.9.1 |
| unstructuredName | 1.2.840.113549.1.9.2 |
| unstructuredAddress | 1.2.840.113549.1.9.8 |
| JurisdictionOfIncorporationLocalityName | 1.3.6.1.4.1.311.60.2.1.1 |
| JurisdictionOfIncorporationStateOrProvinceName | 1.3.6.1.4.1.311.60.2.1.2 |
| JurisdictionOfIncorporationCountryName | 1.3.6.1.4.1.311.60.2.1.3 |
| TrademarkOfficeName | 1.3.6.1.4.1.53087.1.2 |
| TrademarkCountryOrRegionName | 1.3.6.1.4.1.53087.1.3 |
| TrademarkRegistration | 1.3.6.1.4.1.53087.1.4 |
| LegalEntityIdentifier | 1.3.6.1.4.1.53087.1.5 |
| WordMark | 1.3.6.1.4.1.53087.1.6 |
| MarkType | 1.3.6.1.4.1.53087.1.13 |
| StatuteCountryName | 1.3.6.1.4.1.53087.3.2 |
| StatuteStateOrProvinceName | 1.3.6.1.4.1.53087.3.3 |
| StatuteLocalityName | 1.3.6.1.4.1.53087.3.4 |
| StatuteCitation | 1.3.6.1.4.1.53087.3.5 |
| StatuteURL | 1.3.6.1.4.1.53087.3.6 |