-
-
Notifications
You must be signed in to change notification settings - Fork 647
Tutorial for extensions when generating certificate
Kenji Urushima edited this page Apr 29, 2021
·
21 revisions
Extensions can be specified as JSON object when generating a certificate.
This document describes samples for extensions.
"extname" member shall be specified. "critical" flag is OPTION.
{ extname: "NAME-OF-EXTENSION",
critical: true, // OPTION: critical flag can be specified
... extension values ... }{ extname: "basicConstraints",
critical: true,
cA: true, // OPTION. "false" can also be specified.
pathLen: 2 } // OPTION{ extname: "keyUsage", names: ["digitalSignature", "nonRepudiation"] } // don't need to care orderingKey usage value can also be specified by DERBitString parameters.
{ extname: "keyUsage", bit: "11" }
{ extname: "keyUsage", array: [true, true, false, true] }{ extname: "cRLDistributionPoints",
array: [
{fulluri: "http://repository.example.com/CA1.crl"}
] }{ extname: "authorityInfoAccess",
array: [
{ocsp: 'http://ocsp.example.org'},
{caissuer: 'https://repository.example.org/ca1.crt'}
] }You can specify "kid" by PEM string of certificate or public key or key object which can be accepted by KEYUTIL.getKey method. Its key ID value will be calculated automatically by the method specified in RFC 5280 section 4.2.1.2 (1).
{ extname: "subjectKeyIdentifier", kid: ...PEM-OF-CERT-OR-PUBKEY... }
{ extname: "subjectKeyIdentifier", kid: ...KEYOBJECT... }Otherwise you can explicitly specify key identifier by "hex" or raw string which can be accepted by DEROctetString class.
{ extname: "subjectKeyIdentifier", hex: "1abd23f..." }
{ extname: "subjectKeyIdentifier", str: "\x3f\xa1..." }