Skip to content

Tutorial for extensions when generating certificate

Jump to bottom
Kenji Urushima edited this page Apr 29, 2021 · 21 revisions

UNDER CONSTRUCTION

Extensions can be specified as JSON object when generating a certificate.

This document describes samples for extensions.

Common to extensions

"extname" member shall be specified. "critical" flag is OPTION.

{ extname: "NAME-OF-EXTENSION",
  critical: true, // OPTION: critical flag can be specified
  ... extension values ... }

Basic Constraints

{ extname: "basicConstraints",
  critical: true,
  cA: true,     // OPTION. "false" can also be specified.
  pathLen: 2 }  // OPTION

Key Usage

{ extname: "keyUsage", names: ["digitalSignature", "nonRepudiation"] } // don't need to care ordering

Key usage value can also be specified by DERBitString parameters.

{ extname: "keyUsage", bit: "11" }
{ extname: "keyUsage", array: [true, true, false, true] }

CRL Distribution Points

{ extname: "cRLDistributionPoints",
  array: [
    {fulluri: "http://repository.example.com/CA1.crl"}
  ] }

Authority Info Access

{ extname: "authorityInfoAccess",
  array: [
    {ocsp: 'http://ocsp.example.org'},
    {caissuer: 'https://repository.example.org/ca1.crt'}  
  ] }

Subject Key Identifier

You can specify "kid" by PEM string of certificate or public key or key object which can be accepted by KEYUTIL.getKey method. Its key ID value will be calculated automatically by the method specified in RFC 5280 section 4.2.1.2 (1).

{ extname: "subjectKeyIdentifier", kid: ...PEM-OF-CERT-OR-PUBKEY... }
{ extname: "subjectKeyIdentifier", kid: ...KEYOBJECT... }

Otherwise you can explicitly specify key identifier value by hexadecimal or raw string which can be accepted by DEROctetString class.

{ extname: "subjectKeyIdentifier", hex: "1abd23f..." }
{ extname: "subjectKeyIdentifier", str: "\x3f\xa1..." }

Authority Key Identifier

AuthorityKeyIdentifier has three optional fields.

AuthorityKeyIdentifier ::= SEQUENCE {
  keyIdentifier             [0] KeyIdentifier           OPTIONAL,
  authorityCertIssuer       [1] GeneralNames            OPTIONAL,
  authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  }

As for "keyIdentifier", the same members as "SubjectKeyIdentifier" are available. For "authorityCertIssuer" and "authorityCertSerialNumber", you can specify them by "isscert" member with certificate PEM string.

{ extname: "authorityKeyIdentifier",
  kid: "-----BEGIN CERTIFICATE...",
  isscert: "-----BEGIN CERTIFICATE..." }

Otherwise you can explicitly specify them by "issuer" and "sn" members as follows:

{ extname: "authorityKeyIdentifier",
  kid: "-----BEGIN CERTIFICATE...",
  issuer: { ldapstr: "CN=CA1,O=Test,C=JP" },
  sn: { hex: "1fda3d..." } }

jsrsasign TOP | github | Wiki | DOWNLOADS | TUTORIALS | API REFERENCE | Online Tool | DEMO | NODE TOOL | AddOn | AddOn2 | DONATE

Clone this wiki locally