multiuse
Entrust PKIaaS provides the following multiuse certificate profiles.
multiuse-p12-clientmultiuse-p12-client-servermultiuse-p12-custommultiuse-p12-key-data-encipherment-non-repudiation-clientmultiuse-p12-key-data-encipherment-non-repudiation-client-servermultiuse-p12-key-encipherment-clientmultiuse-p12-key-encipherment-client-servermultiuse-p12-key-encipherment-custommultiuse-p12-key-encipherment-non-repudiation-clientmultiuse-p12-key-encipherment-non-repudiation-client-servermultiuse-p12-key-encipherment-non-repudiation-custommultiuse-p12-key-encipherment-non-repudiation-servermultiuse-p12-key-encipherment-servermultiuse-p12-non-repudiation-clientmultiuse-p12-non-repudiation-client-servermultiuse-p12-non-repudiation-custommultiuse-p12-non-repudiation-servermultiuse-p12-server
These profiles support the following features.
- Use cases
- Key usages
- Certificate request extensions
- Certificate fields
- Certificate extensions
- Distinguished names
Use cases
All multiuse profiles support the CA Gateway API use case.
Key usages
See below the Key Usage and Extended Key Usage (EKU) extension values each multiuse profile supports.
| Profile name | Key Usage | Extended Key Usage | Allows Extended Key Usage in request | |
|---|---|---|---|---|
multiuse-p12-client |
Digital Signature, Key Agreement | TLS client Authentication (with OID 1.3.6.1.5.5.7.3.2) |
No | |
multiuse-p12-client-server |
Digital Signature, Key Agreement | TLS client Authentication (with OID 1.3.6.1.5.5.7.3.2), TLS server authentication (with OID 1.3.6.1.5.5.7.3.1) |
No | |
multiuse-p12-custom |
Digital Signature, Key Agreement | No constraints | Yes | |
multiuse-p12-key-data-encipherment-non-repudiation-client |
Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment | TLS client Authentication (with OID 1.3.6.1.5.5.7.3.2) |
No | |
multiuse-p12-key-data-encipherment-non-repudiation-client-server |
Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment | TLS client Authentication (with OID 1.3.6.1.5.5.7.3.2) |
No | |
multiuse-p12-key-encipherment-client |
Digital Signature, Key Agreement, Key Encipherment | TLS client Authentication (with OID 1.3.6.1.5.5.7.3.2) |
No | |
multiuse-p12-key-encipherment-client-server |
Digital Signature, Key Agreement, Key Encipherment | TLS client Authentication (with OID 1.3.6.1.5.5.7.3.2), TLS server authentication (with OID 1.3.6.1.5.5.7.3.1) |
No | |
multiuse-p12-key-encipherment-custom |
Digital Signature, Key Agreement, Key Encipherment | No constraints | Yes | |
multiuse-p12-key-encipherment-non-repudiation-client |
Digital Signature, Key Agreement, Key Encipherment, Non-Repudiation | TLS client Authentication (with OID 1.3.6.1.5.5.7.3.2) |
No | |
multiuse-p12-key-encipherment-non-repudiation-client-server |
Digital Signature, Key Agreement, Key Encipherment, Non-Repudiation | TLS client Authentication (with OID 1.3.6.1.5.5.7.3.2), TLS server authentication (with OID 1.3.6.1.5.5.7.3.1) |
No | |
multiuse-p12-key-encipherment-non-repudiation-custom |
Digital Signature, Key Agreement, Key Encipherment, Non-Repudiation | No constraints | Yes | |
multiuse-p12-key-encipherment-non-repudiation-server |
Digital Signature, Key Agreement, Key Encipherment, Non-Repudiation | TLS server authentication (with OID 1.3.6.1.5.5.7.3.1) |
No | |
multiuse-p12-key-encipherment-server |
Digital Signature, Key Agreement, Key Encipherment | TLS server authentication (with OID 1.3.6.1.5.5.7.3.1) |
No | |
multiuse-p12-non-repudiation-client |
Digital Signature, Key Agreement, Non-Repudiation | TLS client Authentication (with OID 1.3.6.1.5.5.7.3.2) |
No | |
multiuse-p12-non-repudiation-client-server |
Digital Signature, Key Agreement, Non-Repudiation | TLS client Authentication (with OID 1.3.6.1.5.5.7.3.2), TLS server authentication (with OID 1.3.6.1.5.5.7.3.1) |
No | |
multiuse-p12-non-repudiation-custom |
Digital Signature, Key Agreement, Non-Repudiation | No constraints | Yes | |
multiuse-p12-non-repudiation-server |
Digital Signature, Key Agreement, Non-Repudiation | TLS server authentication (with OID 1.3.6.1.5.5.7.3.1) |
No | |
multiuse-p12-server |
Digital Signature, Key Agreement | TLS server authentication (with OID 1.3.6.1.5.5.7.3.1) |
No |
Certificate request extensions
All multiuse profiles support the following non-critical extensions in request.
| Extension name | Extension OID |
|---|---|
| Application Policies | 1.3.6.1.4.1.311.21.10 |
| Certificate Policies | 2.5.29.32 |
Certificate fields
All multiuse profiles set the following certificate extensions.
| Field | Value |
|---|---|
| Issuer | Customer’s subordinate issuing CA. |
| Subject | No constraint. |
| Validity period | Less than or equal to the expiry of the issuing CA. Defaults to 1 year if not specified in the request. |
Certificate extensions
All multiuse profiles set the following certificate extensions.
| Extension | Critical | Value |
|---|---|---|
| AIA | No | Supplied if the customer enables OCSP when creating the CA |
| Authority Key Identifier | No | Matches the subjectKeyIdentifier of the signing certificate |
| Basic Constraints | Yes | cA=True, pathLenConstraint=1 |
| CRL Distribution Points | No | Always present |
| Key Usage | Yes | Certificate Signing, CRL Signing, Digital Signature |
| Subject Alternative Name | No | No constraints |
| Subject Key Identifier | No | «The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2 |
Distinguished names
Entrust PKIaaS has no restriction on Distinguished Names (DNs) per certificate profile. All certificate profiles support the following identifiers.
| Alias | OID |
|---|---|
CN, CommonName |
2.5.4.3 |
SN, SurName |
2.5.4.4 |
SERIALNUMBER, DeviceSerialNumber |
2.5.4.5 |
C, Country |
2.5.4.6 |
L, Locality |
2.5.4.7 |
ST, S, State |
2.5.4.8 |
STREET, StreetAddress |
2.5.4.9 |
O, Org, Organization |
2.5.4.10 |
OU, OrganizationalUnit, OrganizationUnit, OrgUnit |
2.5.4.11 |
T, Title |
2.5.4.12 |
BUSINESSCATEGORY |
2.5.4.15 |
POSTALCODE |
2.5.4.17 |
givenName, G |
2.5.4.42 |
I, Initials |
2.5.4.43 |
ORGANIZATIONIDENTIFIER |
2.5.4.97 |
UID |
0.9.2342.19200300.100.1.1 |
DC, DomainComponent |
0.9.2342.19200300.100.1.25 |
Email, E |
1.2.840.113549.1.9.1 |
unstructuredName |
1.2.840.113549.1.9.2 |
unstructuredAddress |
1.2.840.113549.1.9.8 |
JurisdictionOfIncorporationLocalityName |
1.3.6.1.4.1.311.60.2.1.1 |
JurisdictionOfIncorporationStateOrProvinceName |
1.3.6.1.4.1.311.60.2.1.2 |
JurisdictionOfIncorporationCountryName |
1.3.6.1.4.1.311.60.2.1.3 |
TrademarkOfficeName |
1.3.6.1.4.1.53087.1.2 |
TrademarkCountryOrRegionName |
1.3.6.1.4.1.53087.1.3 |
TrademarkRegistration |
1.3.6.1.4.1.53087.1.4 |
LegalEntityIdentifier |
1.3.6.1.4.1.53087.1.5 |
WordMark |
1.3.6.1.4.1.53087.1.6 |
MarkType |
1.3.6.1.4.1.53087.1.13 |
StatuteCountryName |
1.3.6.1.4.1.53087.3.2 |
StatuteStateOrProvinceName |
1.3.6.1.4.1.53087.3.3 |
StatuteLocalityName |
1.3.6.1.4.1.53087.3.4 |
StatuteCitation |
1.3.6.1.4.1.53087.3.5 |
StatuteURL |
1.3.6.1.4.1.53087.3.6 |