Multiuse certificate profiles
PKIaaS provides the following multiuse profiles.
multiuse-p12-client
multiuse-p12-client-server
multiuse-p12-custom
multiuse-p12-key-data-encipherment-non-repudiation-client
multiuse-p12-key-data-encipherment-non-repudiation-client-server
multiuse-p12-key-encipherment-client
multiuse-p12-key-encipherment-client-server
multiuse-p12-key-encipherment-custom
multiuse-p12-key-encipherment-non-repudiation-client
multiuse-p12-key-encipherment-non-repudiation-client-server
multiuse-p12-key-encipherment-non-repudiation-custom
multiuse-p12-key-encipherment-non-repudiation-server
multiuse-p12-key-encipherment-server
multiuse-p12-non-repudiation-client
multiuse-p12-non-repudiation-client-server
multiuse-p12-non-repudiation-custom
multiuse-p12-non-repudiation-server
multiuse-p12-server
These profiles support the following features.
Multiuse use cases
All multiuse profiles support the following use cases.
|
ECS Enterprise UI |
CA Gateway API |
Entrust-hosted Enrollment Gateway |
On-prem Enrollment Gateway |
|
|
|
|
|
Multiuse issuance modes
All multiuse profiles support the following issuance modes:
Issue the certificate from a CSR.
Issue the certificate and an RSA2048 private key in a P12 file.
Multiuse key usages
See below the Key Usage and Extended Key Usage (EKU) extension values each multiuse profile supports.
|
Profile Name |
Key Usage |
Extended Key Usage |
Allows Extended Key Usage in request |
|
multiuse-p12-client |
Digital Signature, Key Agreement |
TLS client Authentication (1.3.6.1.5.5.7.3.2) |
|
|
multiuse-p12-client-server |
Digital Signature, Key Agreement |
TLS client Authentication (1.3.6.1.5.5.7.3.2) TLS server authentication (1.3.6.1.5.5.7.3.1) |
|
|
multiuse-p12-custom |
Digital Signature, Key Agreement |
No constraints |
|
|
multiuse-p12-key-data-encipherment-non-repudiation-client |
Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment |
TLS client Authentication (1.3.6.1.5.5.7.3.2) |
|
|
multiuse-p12-key-data-encipherment-non-repudiation-client-server |
Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment |
TLS client Authentication (1.3.6.1.5.5.7.3.2) |
|
|
multiuse-p12-key-encipherment-client |
Digital Signature, Key Agreement, Key Encipherment |
TLS client Authentication (1.3.6.1.5.5.7.3.2) |
|
|
multiuse-p12-key-encipherment-client-server |
Digital Signature, Key Agreement, Key Encipherment |
TLS client Authentication (1.3.6.1.5.5.7.3.2) TLS server authentication (1.3.6.1.5.5.7.3.1) |
|
|
multiuse-p12-key-encipherment-custom |
Digital Signature, Key Agreement, Key Encipherment |
No constraints |
|
|
multiuse-p12-key-encipherment-non-repudiation-client |
Digital Signature, Key Agreement, Key Encipherment, Non-Repudation |
TLS client Authentication (1.3.6.1.5.5.7.3.2) |
|
|
multiuse-p12-key-encipherment-non-repudiation-client-server |
Digital Signature, Key Agreement, Key Encipherment, Non-Repudation |
TLS client Authentication (1.3.6.1.5.5.7.3.2) TLS server authentication (1.3.6.1.5.5.7.3.1) |
|
|
multiuse-p12-key-encipherment-non-repudiation-custom |
Digital Signature, Key Agreement, Key Encipherment, Non-Repudation |
No constraints |
|
|
multiuse-p12-key-encipherment-non-repudiation-server |
Digital Signature, Key Agreement, Key Encipherment, Non-Repudation |
TLS server authentication (1.3.6.1.5.5.7.3.1) |
|
|
multiuse-p12-key-encipherment-server |
Digital Signature, Key Agreement, Key Encipherment |
TLS server authentication (1.3.6.1.5.5.7.3.1) |
|
|
multiuse-p12-non-repudiation-client |
Digital Signature, Key Agreement, Non-Repudation |
TLS client Authentication (1.3.6.1.5.5.7.3.2) |
|
|
multiuse-p12-non-repudiation-client-server |
Digital Signature, Key Agreement, Non-Repudation |
TLS client Authentication (1.3.6.1.5.5.7.3.2) TLS server authentication (1.3.6.1.5.5.7.3.1) |
|
|
multiuse-p12-non-repudiation-custom |
Digital Signature, Key Agreement, Non-Repudation |
No constraints |
|
|
multiuse-p12-non-repudiation-server |
Digital Signature, Key Agreement, Non-Repudation |
TLS server authentication (1.3.6.1.5.5.7.3.1) |
|
|
multiuse-p12-server |
Digital Signature, Key Agreement |
TLS server authentication (1.3.6.1.5.5.7.3.1) |
|
Multiuse request extensions
All multiuse profiles support the following non-critical extensions in request.
|
Extension |
OID |
|
ApplicationPolicies |
1.3.6.1.4.1.311.21.10 |
|
CertificatePolicies |
2.5.29.32 |
Multiuse certificate fields
All multiuse profiles set the following certificate fields.
|
Field |
Value |
|
Issuer |
Customer's subordinate issuing CA. |
|
Subject |
No constraint. |
|
Validity period |
Less than or equal to the expiry of the issuing CA. Defaults to 1 year if not specified in the request. |
Multiuse certificate extensions
All multiuse profiles set the following certificate extensions.
|
Extension |
Critical |
Value |
|
AIA |
No |
Supplied if the customer enables OCSP when creating the CA |
|
Authority Key Identifier |
No |
Matches subjectKeyIdentifier of the signing certificate |
|
Basic Constraints |
Yes |
cA =False |
|
CRL Distribution Points |
No |
Always present |
|
Key Usage |
Yes |
Digital Signature, Key Encipherment |
|
Subject Alternative Name |
No |
No constraints |
|
Subject Key Identifier |
No |
«The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2 |
Multiuse algorithm constraints
All multiuse profiles support the following key and signature algorithms.
|
Key algorithm |
Signature algorithm |
|
ECDSA P-256 |
ecdsa-with-SHA256 |
|
ECDSA P-384 |
ecdsa-with-SHA384 |
|
ECDSA P-521 |
ecdsa-with-SHA512 |
|
RSA 2048 |
sha256WithRSAEncryption |
|
RSA 3072 |
sha256WithRSAEncryption |
|
RSA 4096 |
sha512WithRSAEncryption |
Multiuse distinguished names
PKIaaS has no restriction on Distinguished Names (DNs) per certificate profile. All certificate profiles support the following identifiers.
|
Alias |
OID |
|
'CN' 'CommonName' |
2.5.4.3 |
|
'SN' 'SurName' |
2.5.4.4 |
|
'SERIALNUMBER' 'DeviceSerialNumber' |
2.5.4.5 |
|
'C' 'Country' |
2.5.4.6 |
|
'L' 'Locality' |
2.5.4.7 |
|
'ST' 'S' 'State' |
2.5.4.8 |
|
'STREET' 'StreetAddress' |
2.5.4.9 |
|
'O' 'Org' 'Organization' |
2.5.4.10 |
|
'OU' 'OrganizationalUnit' 'OrganizationUnit' 'OrgUnit' |
2.5.4.11 |
|
'T' 'Title' |
2.5.4.12 |
|
'BUSINESSCATEGORY' |
2.5.4.15 |
|
'POSTALCODE' |
2.5.4.17 |
|
'givenName' 'G' |
2.5.4.42 |
|
'I' 'Initials' |
2.5.4.43 |
|
'ORGANIZATIONIDENTIFIER' |
2.5.4.97 |
|
'UID' |
0.9.2342.19200300.100.1.1 |
|
'DC' 'DomainComponent' |
0.9.2342.19200300.100.1.25 |
|
'Email' 'E' |
1.2.840.113549.1.9.1 |
|
'unstructuredName' |
1.2.840.113549.1.9.2 |
|
'unstructuredAddress' |
1.2.840.113549.1.9.8 |
|
'JurisdictionOfIncorporationLocalityName' |
1.3.6.1.4.1.311.60.2.1.1 |
|
'JurisdictionOfIncorporationStateOrProvinceName' |
1.3.6.1.4.1.311.60.2.1.2 |
|
'JurisdictionOfIncorporationCountryName' |
1.3.6.1.4.1.311.60.2.1.3 |
|
'TrademarkOfficeName' |
1.3.6.1.4.1.53087.1.2 |
|
'TrademarkCountryOrRegionName' |
1.3.6.1.4.1.53087.1.3 |
|
'TrademarkRegistration' |
1.3.6.1.4.1.53087.1.4 |
|
'LegalEntityIdentifier' |
1.3.6.1.4.1.53087.1.5 |
|
'WordMark' |
1.3.6.1.4.1.53087.1.6 |
|
'MarkType' |
1.3.6.1.4.1.53087.1.13 |
|
'StatuteCountryName' |
1.3.6.1.4.1.53087.3.2 |
|
'StatuteStateOrProvinceName' |
1.3.6.1.4.1.53087.3.3 |
|
'StatuteLocalityName' |
1.3.6.1.4.1.53087.3.4 |
|
'StatuteCitation' |
1.3.6.1.4.1.53087.3.5 |
|
'StatuteURL' |
1.3.6.1.4.1.53087.3.6 |