Tutorial for extensions when generating certificate

UNDER CONSTRUCTION

Extensions can be specified as JSON object when generating a certificate.

This document describes samples for extensions.

Common to extensions

"extname" member shall be specified. "critical" flag is OPTION.

{ extname: "NAME-OF-EXTENSION",
  critical: true, // OPTION: critical flag can be specified
  ... extension values ... }

Basic Constraints

{ extname: "basicConstraints",
  critical: true,
  cA: true,     // OPTION. "false" can also be specified.
  pathLen: 2 }  // OPTION

Key Usage

{ extname: "keyUsage", names: ["digitalSignature", "nonRepudiation"] } // don't need to care ordering

Key usage value can also be specified by DERBitString parameters.

{ extname: "keyUsage", bit: "11" }
{ extname: "keyUsage", array: [true, true, false, true] }

CRL Distribution Points

{ extname: "cRLDistributionPoints",
  array: [
    {fulluri: "http://repository.example.com/CA1.crl"}
  ] }

Authority Info Access

{ extname: "authorityInfoAccess",
  array: [
    {ocsp: 'http://ocsp.example.org'},
    {caissuer: 'https://repository.example.org/ca1.crt'}  
  ] }

Subject Key Identifier

You can specify "kid" by PEM string of certificate or public key or key object which can accept by KEYUTIL.getKey method. Its key ID value will be calculated automatically by the method specified in RFC 5280 section 4.2.1.2 (1).

{ extname: "subjectKeyIdentifier",
  kid: ...PEM-OF-CERT-OR-PUBKEY... }
{ extname: "subjectKeyIdentifier",
  kid: ...KEYOBJECT... }

Uh oh!

Tutorial for extensions when generating certificate

UNDER CONSTRUCTION

Common to extensions

Basic Constraints

Key Usage

CRL Distribution Points

Authority Info Access

Subject Key Identifier

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally