====== Public Key Infrastructure ======
===== Good extensions for certificates =====

==== Root CA ====

<code>
X509v3 extensions:
	X509v3 Key Usage: critical
		Certificate Sign, CRL Sign
	X509v3 Basic Constraints: critical
		CA:TRUE
	X509v3 Subject Key Identifier:
		xx:xx:xx:xx:xx:xx:xx:xx:xx:...:xx:xx:xx
</code>
==== Intermediate CA ====

<code>
Serial Number:
    xx:xx:xx:xx:...:xx
X509v3 extensions:
	X509v3 Key Usage: critical
		Certificate Sign, CRL Sign
	X509v3 Basic Constraints: critical
		CA:TRUE, pathlen:0
	X509v3 Subject Key Identifier:
		xx:xx:xx:xx:...:xx
	X509v3 Authority Key Identifier:
		keyid:xx:xx:xx:xx:...:xx

	Authority Information Access:
		OCSP - URI:http://ocsp.example.com/root

	X509v3 CRL Distribution Points:
		Full Name:
		  URI:http://crl.example.com/root.crl

	X509v3 Certificate Policies:
		Policy: X509v3 Any Policy
		  CPS: https://www.example.com/repository/
</code>
==== User certificate ====

==== Server certificate ====
<code>
Serial Number:
	xx:xx:xx:xx:xx:xx:...:xx:xx
X509v3 extensions:
	X509v3 Key Usage: critical
		Digital Signature, Key Encipherment
	Authority Information Access:
		CA Issuers - URI:http://www.example.com/cacert/cert-inter.crt
		OCSP - URI:http://ocsp.example.com/cert-inter

	X509v3 Certificate Policies:
		Policy: 1.3.6.1.4.1.4146.1.1
		  CPS: https://www.example.com/repository/
		Policy: 2.23.140.1.1

	X509v3 Basic Constraints:
		CA:FALSE
	X509v3 CRL Distribution Points:

		Full Name:
		  URI:http://crl.example.com/cert-inter.crl

	X509v3 Subject Alternative Name:
	    ........
	X509v3 Extended Key Usage:
			TLS Web Server Authentication, TLS Web Client Authentication
		X509v3 Authority Key Identifier:
			keyid:xx:xx:xx:xx:xx:xx:...:xx:xx

		X509v3 Subject Key Identifier:
			xx:xx:xx:xx:xx:xx:...:xx:xx
</code>
==== OCSP certificate ====

==== About CRLs ====

===== Commands =====