Multiuse certificate profiles

PKIaaS provides the following multiuse profiles.

  • multiuse-p12-client

  • multiuse-p12-client-server

  • multiuse-p12-custom

  • multiuse-p12-key-data-encipherment-non-repudiation-client

  • multiuse-p12-key-data-encipherment-non-repudiation-client-server

  • multiuse-p12-key-encipherment-client

  • multiuse-p12-key-encipherment-client-server

  • multiuse-p12-key-encipherment-custom

  • multiuse-p12-key-encipherment-non-repudiation-client

  • multiuse-p12-key-encipherment-non-repudiation-client-server

  • multiuse-p12-key-encipherment-non-repudiation-custom

  • multiuse-p12-key-encipherment-non-repudiation-server

  • multiuse-p12-key-encipherment-server

  • multiuse-p12-non-repudiation-client

  • multiuse-p12-non-repudiation-client-server

  • multiuse-p12-non-repudiation-custom

  • multiuse-p12-non-repudiation-server

  • multiuse-p12-server

These profiles support the following features.

Multiuse use cases

All multiuse profiles support the following use cases.

ECS Enterprise UI

CA Gateway API

Entrust-hosted Enrollment Gateway

On-prem Enrollment Gateway

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/check.svg

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/check.svg

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/error.svg

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/error.svg

Multiuse issuance modes

All multiuse profiles support the following issuance modes:

  • Issue the certificate from a CSR.

  • Issue the certificate and an RSA2048 private key in a P12 file.

Multiuse key usages

See below the Key Usage and Extended Key Usage (EKU) extension values each multiuse profile supports.

Profile Name

Key Usage

Extended Key Usage

Allows Extended Key Usage in request

multiuse-p12-client

Digital Signature, Key Agreement

TLS client Authentication (1.3.6.1.5.5.7.3.2)

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/error.svg

multiuse-p12-client-server

Digital Signature, Key Agreement

TLS client Authentication (1.3.6.1.5.5.7.3.2)

TLS server authentication (1.3.6.1.5.5.7.3.1)

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/error.svg

multiuse-p12-custom

Digital Signature, Key Agreement

No constraints

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/check.svg

multiuse-p12-key-data-encipherment-non-repudiation-client

Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment

TLS client Authentication (1.3.6.1.5.5.7.3.2)

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/error.svg

multiuse-p12-key-data-encipherment-non-repudiation-client-server

Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment

TLS client Authentication (1.3.6.1.5.5.7.3.2)

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/error.svg

multiuse-p12-key-encipherment-client

Digital Signature, Key Agreement, Key Encipherment

TLS client Authentication (1.3.6.1.5.5.7.3.2)

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/error.svg

multiuse-p12-key-encipherment-client-server

Digital Signature, Key Agreement, Key Encipherment

TLS client Authentication (1.3.6.1.5.5.7.3.2)

TLS server authentication (1.3.6.1.5.5.7.3.1)

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/error.svg

multiuse-p12-key-encipherment-custom

Digital Signature, Key Agreement, Key Encipherment

No constraints

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/check.svg

multiuse-p12-key-encipherment-non-repudiation-client

Digital Signature, Key Agreement, Key Encipherment, Non-Repudation

TLS client Authentication (1.3.6.1.5.5.7.3.2)

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/error.svg

multiuse-p12-key-encipherment-non-repudiation-client-server

Digital Signature, Key Agreement, Key Encipherment, Non-Repudation

TLS client Authentication (1.3.6.1.5.5.7.3.2)

TLS server authentication (1.3.6.1.5.5.7.3.1)

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/error.svg

multiuse-p12-key-encipherment-non-repudiation-custom

Digital Signature, Key Agreement, Key Encipherment, Non-Repudation

No constraints

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/check.svg

multiuse-p12-key-encipherment-non-repudiation-server

Digital Signature, Key Agreement, Key Encipherment, Non-Repudation

TLS server authentication (1.3.6.1.5.5.7.3.1)

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/error.svg

multiuse-p12-key-encipherment-server

Digital Signature, Key Agreement, Key Encipherment

TLS server authentication (1.3.6.1.5.5.7.3.1)

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/error.svg

multiuse-p12-non-repudiation-client

Digital Signature, Key Agreement, Non-Repudation

TLS client Authentication (1.3.6.1.5.5.7.3.2)

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/error.svg

multiuse-p12-non-repudiation-client-server

Digital Signature, Key Agreement, Non-Repudation

TLS client Authentication (1.3.6.1.5.5.7.3.2)

TLS server authentication (1.3.6.1.5.5.7.3.1)

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/error.svg

multiuse-p12-non-repudiation-custom

Digital Signature, Key Agreement, Non-Repudation

No constraints

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/check.svg

multiuse-p12-non-repudiation-server

Digital Signature, Key Agreement, Non-Repudation

TLS server authentication (1.3.6.1.5.5.7.3.1)

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/error.svg

multiuse-p12-server

Digital Signature, Key Agreement

TLS server authentication (1.3.6.1.5.5.7.3.1)

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/error.svg

Multiuse request extensions

All multiuse profiles support the following non-critical extensions in request.

Extension

OID

ApplicationPolicies

1.3.6.1.4.1.311.21.10

CertificatePolicies

2.5.29.32

Multiuse certificate fields

All multiuse profiles set the following certificate fields.

Field

Value

Issuer

Customer's subordinate issuing CA.

Subject

No constraint.

Validity period

Less than or equal to the expiry of the issuing CA. Defaults to 1 year if not specified in the request.

Multiuse certificate extensions

All multiuse profiles set the following certificate extensions.

Extension

Critical

Value

AIA

No

Supplied if the customer enables OCSP when creating the CA

Authority Key Identifier

No

Matches subjectKeyIdentifier of the signing certificate

Basic Constraints

Yes

cA =False

CRL Distribution Points

No

Always present

Key Usage

Yes

Digital Signature, Key Encipherment

Subject Alternative Name

No

No constraints

Subject Key Identifier

No

«The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2

Multiuse algorithm constraints

All multiuse profiles support the following key and signature algorithms.

Key algorithm

Signature algorithm

ECDSA P-256

ecdsa-with-SHA256

ECDSA P-384

ecdsa-with-SHA384

ECDSA P-521

ecdsa-with-SHA512

RSA 2048

sha256WithRSAEncryption

RSA 3072

sha256WithRSAEncryption

RSA 4096

sha512WithRSAEncryption

Multiuse distinguished names

PKIaaS has no restriction on Distinguished Names (DNs) per certificate profile. All certificate profiles support the following identifiers.

Alias

OID

'CN' 'CommonName'

2.5.4.3

'SN' 'SurName'

2.5.4.4

'SERIALNUMBER' 'DeviceSerialNumber'

2.5.4.5

'C' 'Country'

2.5.4.6

'L' 'Locality'

2.5.4.7

'ST' 'S' 'State'

2.5.4.8

'STREET' 'StreetAddress'

2.5.4.9

'O' 'Org' 'Organization'

2.5.4.10

'OU' 'OrganizationalUnit' 'OrganizationUnit' 'OrgUnit'

2.5.4.11

'T' 'Title'

2.5.4.12

'BUSINESSCATEGORY'

2.5.4.15

'POSTALCODE'

2.5.4.17

'givenName' 'G'

2.5.4.42

'I' 'Initials'

2.5.4.43

'ORGANIZATIONIDENTIFIER'

2.5.4.97

'UID'

0.9.2342.19200300.100.1.1

'DC' 'DomainComponent'

0.9.2342.19200300.100.1.25

'Email' 'E'

1.2.840.113549.1.9.1

'unstructuredName'

1.2.840.113549.1.9.2

'unstructuredAddress'

1.2.840.113549.1.9.8

'JurisdictionOfIncorporationLocalityName'

1.3.6.1.4.1.311.60.2.1.1

'JurisdictionOfIncorporationStateOrProvinceName'

1.3.6.1.4.1.311.60.2.1.2

'JurisdictionOfIncorporationCountryName'

1.3.6.1.4.1.311.60.2.1.3

'TrademarkOfficeName'

1.3.6.1.4.1.53087.1.2

'TrademarkCountryOrRegionName'

1.3.6.1.4.1.53087.1.3

'TrademarkRegistration'

1.3.6.1.4.1.53087.1.4

'LegalEntityIdentifier'

1.3.6.1.4.1.53087.1.5

'WordMark'

1.3.6.1.4.1.53087.1.6

'MarkType'

1.3.6.1.4.1.53087.1.13

'StatuteCountryName'

1.3.6.1.4.1.53087.3.2

'StatuteStateOrProvinceName'

1.3.6.1.4.1.53087.3.3

'StatuteLocalityName'

1.3.6.1.4.1.53087.3.4

'StatuteCitation'

1.3.6.1.4.1.53087.3.5

'StatuteURL'

1.3.6.1.4.1.53087.3.6