privatessl
Entrust PKIaaS provides the following Private SSL (ACMEv2) certificate profiles.
privatessl-tls-clientprivatessl-tls-client-serverprivatessl-tls-client-server-data-enciphermentprivatessl-tls-client-server-supply-sanprivatessl-tls-serverprivatessl-tls-server-supply-san
These profiles support the following features.
- Use cases
- Key usages
- Private SSL fillsandnswithcn
- Certificate request extensions
- Certificate fields
- Certificate extensions
- Distinguished names
Use cases
All private SSL profiles support the CA Gateway API use case.
Key usages
See below the Key Usage and Extended Key Usage (EKU) extension values each private SSL profile supports.
| Profile | Key Usage | Extended Key Usage |
|---|---|---|
privatessl-tls-client |
Digital Signature | TLS client authentication (with OID 1.3.6.1.5.5.7.3.2) |
privatessl-tls-client-server |
Digital Signature | TLS client authentication (with OID 1.3.6.1.5.5.7.3.2), TLS server authentication (with OID 1.3.6.1.5.5.7.3.1) |
privatessl-tls-client-server-data-encipherment |
Digital Signature, Data Encipherment | TLS client authentication (with OID 1.3.6.1.5.5.7.3.2), TLS server authentication (with OID 1.3.6.1.5.5.7.3.1) |
privatessl-tls-client-server-supply-san |
Digital Signature | TLS client authentication (with OID 1.3.6.1.5.5.7.3.2), TLS server authentication (with OID 1.3.6.1.5.5.7.3.1) |
privatessl-tls-server |
Digital Signature | TLS server authentication (with OID 1.3.6.1.5.5.7.3.1) |
privatessl-tls-server-supply-san |
Digital Signature | TLS server authentication (with OID 1.3.6.1.5.5.7.3.1) |
Private SSL fill_san_dns_with_cn
When the fill_san_dns_with_cn parameter is True, the profile copies in the SubjectAltname extension all the CN fields:
- included in the Subject extension, and
- not already in the
SubjectAltnameextension (to avoid duplicate entries).
See below for the value of this parameter in each profile.
| Profile | fill_sans_dn_with_cn |
|---|---|
privatessl-tls-client |
False |
privatessl-tls-client-server |
False |
privatessl-tls-client-server-data-encipherment |
False |
privatessl-tls-client-server-supply-san |
True |
privatessl-tls-server |
False |
privatessl-tls-server-supply-san |
True |
Certificate request extensions
All private SSL profiles support the following non-critical extensions in request.
| Extension name | Extension OID |
|---|---|
| Application Policies | 1.3.6.1.4.1.311.21.10 |
| Certificate Policies | 2.5.29.32 |
Certificate fields
All private SSL profiles set the following certificate extensions.
| Field | Value |
|---|---|
| Issuer | Customer’s subordinate issuing CA. |
| Subject | No constraint. |
| Validity period | Less than or equal to the expiry of the issuing CA. Defaults to 1 year if not specified in the request. |
Certificate extensions
All private SSL profiles set the following certificate extension values.
| Extension name | Critical | Value |
|---|---|---|
| AIA | No | Supplied if the customer enables OCSP when creating the CA |
| Authority Key Identifier | No | Matches subjectKeyIdentifier of the signing certificate |
| Basic Constraints | Yes | cA=False |
| CRL Distribution Points | No | Always present |
| Subject Alternative Name | No | No constraints |
| Subject Key Identifier | No | «The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2 |
Distinguished names
Entrust PKIaaS has no restriction on Distinguished Names (DNs) per certificate profile. All certificate profiles support the following identifiers.
| Alias | OID |
|---|---|
CN, CommonName |
2.5.4.3 |
SN, SurName |
2.5.4.4 |
SERIALNUMBER, DeviceSerialNumber |
2.5.4.5 |
C, Country |
2.5.4.6 |
L, Locality |
2.5.4.7 |
ST, S, State |
2.5.4.8 |
STREET, StreetAddress |
2.5.4.9 |
O, Org, Organization |
2.5.4.10 |
OU, OrganizationalUnit, OrganizationUnit, OrgUnit |
2.5.4.11 |
T, Title |
2.5.4.12 |
BUSINESSCATEGORY |
2.5.4.15 |
POSTALCODE |
2.5.4.17 |
givenName, G |
2.5.4.42 |
I, Initials |
2.5.4.43 |
ORGANIZATIONIDENTIFIER |
2.5.4.97 |
UID |
0.9.2342.19200300.100.1.1 |
DC, DomainComponent |
0.9.2342.19200300.100.1.25 |
Email, E |
1.2.840.113549.1.9.1 |
unstructuredName |
1.2.840.113549.1.9.2 |
unstructuredAddress |
1.2.840.113549.1.9.8 |
JurisdictionOfIncorporationLocalityName |
1.3.6.1.4.1.311.60.2.1.1 |
JurisdictionOfIncorporationStateOrProvinceName |
1.3.6.1.4.1.311.60.2.1.2 |
JurisdictionOfIncorporationCountryName |
1.3.6.1.4.1.311.60.2.1.3 |
TrademarkOfficeName |
1.3.6.1.4.1.53087.1.2 |
TrademarkCountryOrRegionName |
1.3.6.1.4.1.53087.1.3 |
TrademarkRegistration |
1.3.6.1.4.1.53087.1.4 |
LegalEntityIdentifier |
1.3.6.1.4.1.53087.1.5 |
WordMark |
1.3.6.1.4.1.53087.1.6 |
MarkType |
1.3.6.1.4.1.53087.1.13 |
StatuteCountryName |
1.3.6.1.4.1.53087.3.2 |
StatuteStateOrProvinceName |
1.3.6.1.4.1.53087.3.3 |
StatuteLocalityName |
1.3.6.1.4.1.53087.3.4 |
StatuteCitation |
1.3.6.1.4.1.53087.3.5 |
StatuteURL |
1.3.6.1.4.1.53087.3.6 |