Luthienstar Networks Wiki

User Tools

Site Tools

Trace: pki
setup:pki

Table of Contents

Public Key Infrastructure

Good extensions for certificates

Root CA

X509v3 extensions:
	X509v3 Key Usage: critical
		Certificate Sign, CRL Sign
	X509v3 Basic Constraints: critical
		CA:TRUE
	X509v3 Subject Key Identifier:
		xx:xx:xx:xx:xx:xx:xx:xx:xx:...:xx:xx:xx

Intermediate CA

Serial Number:
    xx:xx:xx:xx:...:xx
X509v3 extensions:
	X509v3 Key Usage: critical
		Certificate Sign, CRL Sign
	X509v3 Basic Constraints: critical
		CA:TRUE, pathlen:0
	X509v3 Subject Key Identifier:
		xx:xx:xx:xx:...:xx
	X509v3 Authority Key Identifier:
		keyid:xx:xx:xx:xx:...:xx

	Authority Information Access:
		OCSP - URI:http://ocsp.example.com/root

	X509v3 CRL Distribution Points:
		Full Name:
		  URI:http://crl.example.com/root.crl

	X509v3 Certificate Policies:
		Policy: X509v3 Any Policy
		  CPS: https://www.example.com/repository/

User certificate

Server certificate

Serial Number:
	xx:xx:xx:xx:xx:xx:...:xx:xx
X509v3 extensions:
	X509v3 Key Usage: critical
		Digital Signature, Key Encipherment
	Authority Information Access:
		CA Issuers - URI:http://www.example.com/cacert/cert-inter.crt
		OCSP - URI:http://ocsp.example.com/cert-inter

	X509v3 Certificate Policies:
		Policy: 1.3.6.1.4.1.4146.1.1
		  CPS: https://www.example.com/repository/
		Policy: 2.23.140.1.1

	X509v3 Basic Constraints:
		CA:FALSE
	X509v3 CRL Distribution Points:

		Full Name:
		  URI:http://crl.example.com/cert-inter.crl

	X509v3 Subject Alternative Name:
	    ........
	X509v3 Extended Key Usage:
			TLS Web Server Authentication, TLS Web Client Authentication
		X509v3 Authority Key Identifier:
			keyid:xx:xx:xx:xx:xx:xx:...:xx:xx

		X509v3 Subject Key Identifier:
			xx:xx:xx:xx:xx:xx:...:xx:xx

OCSP certificate

About CRLs

Commands

setup/pki.txt · Last modified: 2021/07/29 16:33 by root
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki