smartcard

Entrust PKIaaS provides the following smartcard certificate profiles.

These profiles support the following features.

Use cases

All smartcard profiles support the CA Gateway API use case.

See below the Key Usage and Extended Key Usage (EKU) extension values each smartcard profile supports.

Profile	Key Usage	Extended Key Usage	Allowed in request
`smartcard-card-authentication`	Digital Signature	No constraints	PIV Interim Indicator (with OID `2.16.840.1.101.3.6.9.1`), Security ID (with OID `1.3.6.1.4.1.311.25.2`)
`smartcard-digital-signature`	Digital Signature, Non-Repudiation	No constraints	PIV Interim Indicator (with OID `2.16.840.1.101.3.6.9.1`), Security ID (with OID `1.3.6.1.4.1.311.25.2`)
`smartcard-domain-controller`	Digital Signature, Key Encipherment	TLS server authentication (with OID `1.3.6.1.5.5.7.3.1`), TLS client authentication (with OID `1.3.6.1.5.5.7.3.2`)	—
`smartcard-key-management`	Key Encipherment	No constraints	PIV Interim Indicator (with OID `2.16.840.1.101.3.6.9.1`), Security ID (with OID `1.3.6.1.4.1.311.25.2`)
`smartcard-piv-authentication`	Digital Signature	Any Extended Key Usage (with OID `2.5.29.37.0`), Microsoft Smart Card Login (with OID `1.3.6.1.4.1.311.20.2.2`), TLS client authentication (with OID `1.3.6.1.5.5.7.3.2`)	PIV Interim Indicator (with OID `2.16.840.1.101.3.6.9.1`), Security ID (with OID `1.3.6.1.4.1.311.25.2`)
`smartcard-piv-content-signing`	Digital Signature, Non-Repudiation	No constraints	—

All smartcard profiles set the following certificate fields.

Field	Value
Issuer	Customer’s subordinate issuing CA
Subject	No constraint
Validity period	Less than or equal to the expiry of the issuing CA. Defaults to 1 year if not specified in the request

All smartcard profiles set the following certificate extensions.

Extension	Critical	Value
AIA	No	Supplied if the customer enables OCSP when creating the CA
Authority Key Identifier	No	Matches the `subjectKeyIdentifier` of the signing certificate
Basic Constraints	Yes	`cA=False`
CRL Distribution Points	No	Always present
Subject Alternative Name	No	No constraints
Subject Key Identifier	No	«The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2

Entrust PKIaaS has no restriction on Distinguished Names (DNs) per certificate profile. All certificate profiles support the following identifiers.

Alias	OID
`CN`, `CommonName`	`2.5.4.3`
`SN`, `SurName`	`2.5.4.4`
`SERIALNUMBER`, `DeviceSerialNumber`	`2.5.4.5`
`C`, `Country`	`2.5.4.6`
`L`, `Locality`	`2.5.4.7`
`ST`, `S`, `State`	`2.5.4.8`
`STREET`, `StreetAddress`	`2.5.4.9`
`O`, `Org`, `Organization`	`2.5.4.10`
`OU`, `OrganizationalUnit`, `OrganizationUnit`, `OrgUnit`	`2.5.4.11`
`T`, `Title`	`2.5.4.12`
`BUSINESSCATEGORY`	`2.5.4.15`
`POSTALCODE`	`2.5.4.17`
`givenName`, `G`	`2.5.4.42`
`I`, `Initials`	`2.5.4.43`
`ORGANIZATIONIDENTIFIER`	`2.5.4.97`
`UID`	`0.9.2342.19200300.100.1.1`
`DC`, `DomainComponent`	`0.9.2342.19200300.100.1.25`
`Email`, `E`	`1.2.840.113549.1.9.1`
`unstructuredName`	`1.2.840.113549.1.9.2`
`unstructuredAddress`	`1.2.840.113549.1.9.8`
`JurisdictionOfIncorporationLocalityName`	`1.3.6.1.4.1.311.60.2.1.1`
`JurisdictionOfIncorporationStateOrProvinceName`	`1.3.6.1.4.1.311.60.2.1.2`
`JurisdictionOfIncorporationCountryName`	`1.3.6.1.4.1.311.60.2.1.3`
`TrademarkOfficeName`	`1.3.6.1.4.1.53087.1.2`
`TrademarkCountryOrRegionName`	`1.3.6.1.4.1.53087.1.3`
`TrademarkRegistration`	`1.3.6.1.4.1.53087.1.4`
`LegalEntityIdentifier`	`1.3.6.1.4.1.53087.1.5`
`WordMark`	`1.3.6.1.4.1.53087.1.6`
`MarkType`	`1.3.6.1.4.1.53087.1.13`
`StatuteCountryName`	`1.3.6.1.4.1.53087.3.2`
`StatuteStateOrProvinceName`	`1.3.6.1.4.1.53087.3.3`
`StatuteLocalityName`	`1.3.6.1.4.1.53087.3.4`
`StatuteCitation`	`1.3.6.1.4.1.53087.3.5`
`StatuteURL`	`1.3.6.1.4.1.53087.3.6`