Private SSL use cases

All private SSL profiles support the following use cases.

ECS Enterprise UI	CA Gateway API	Entrust-hosted Enrollment Gateway	On-prem Enrollment Gateway

Private SSL key usages

See below the Key Usage and Extended Key Usage (EKU) extension values each private SSL profile supports.

Profile	Key Usage	Extended Key Usage
privatessl-tls-client	Digital Signature	TLS client authentication (1.3.6.1.5.5.7.3.2)
privatessl-tls-client-server	Digital Signature	TLS client authentication (1.3.6.1.5.5.7.3.2) TLS server authentication (1.3.6.1.5.5.7.3.1)
privatessl-tls-client-server-data-encipherment	Digital Signature, Data Encipherment	TLS client authentication (1.3.6.1.5.5.7.3.2) TLS server authentication (1.3.6.1.5.5.7.3.1)
privatessl-tls-client-server-supply-san	Digital Signature	TLS client authentication (1.3.6.1.5.5.7.3.2) TLS server authentication (1.3.6.1.5.5.7.3.1)
privatessl-tls-server	Digital Signature	TLS server authentication (1.3.6.1.5.5.7.3.1)
privatessl-tls-server-supply-san	Digital Signature	TLS server authentication (1.3.6.1.5.5.7.3.1)

When the fill_san_dns_with_cn parameter is True, the profile copies in the SubjectAltname extension all the CN fields:

See below the value of this parameter in each profile.

Profile	fill_san_dns_with_cn
privatessl-tls-client	False
privatessl-tls-client-server	False
privatessl-tls-client-server-data-encipherment	False
privatessl-tls-client-server-supply-san	True
privatessl-tls-server	False
privatessl-tls-server-supply-san	True

All private SSL profiles support the following non-critical extensions in request.

All Private SSL profiles set the following certificate fields.

Field	Value
Issuer	Customer's subordinate issuing CA.
Subject	No constraint.
Validity period	Less than or equal to the expiry of the issuing CA. Defaults to 1 year if not specified in the request.

All private SSL profiles set the following certificate extensions.

Extension	Critical	Value
AIA	No	Supplied if the customer enables OCSP when creating the CA
Authority Key Identifier	No	Matches subjectKeyIdentifier of the signing certificate
Basic Constraints	Yes	cA =False
CRL Distribution Points	No	Always present
Subject Alternative Name	No	No constraints
Subject Key Identifier	No	«The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2

All private SSL profiles support the following key and signature algorithms.

PKIaaS has no restriction on Distinguished Names (DNs) per certificate profile. All certificate profiles support the following identifiers.

Alias	OID
'CN' 'CommonName'	2.5.4.3
'SN' 'SurName'	2.5.4.4
'SERIALNUMBER' 'DeviceSerialNumber'	2.5.4.5
'C' 'Country'	2.5.4.6
'L' 'Locality'	2.5.4.7
'ST' 'S' 'State'	2.5.4.8
'STREET' 'StreetAddress'	2.5.4.9
'O' 'Org' 'Organization'	2.5.4.10
'OU' 'OrganizationalUnit' 'OrganizationUnit' 'OrgUnit'	2.5.4.11
'T' 'Title'	2.5.4.12
'BUSINESSCATEGORY'	2.5.4.15
'POSTALCODE'	2.5.4.17
'givenName' 'G'	2.5.4.42
'I' 'Initials'	2.5.4.43
'ORGANIZATIONIDENTIFIER'	2.5.4.97
'UID'	0.9.2342.19200300.100.1.1
'DC' 'DomainComponent'	0.9.2342.19200300.100.1.25
'Email' 'E'	1.2.840.113549.1.9.1
'unstructuredName'	1.2.840.113549.1.9.2
'unstructuredAddress'	1.2.840.113549.1.9.8
'JurisdictionOfIncorporationLocalityName'	1.3.6.1.4.1.311.60.2.1.1
'JurisdictionOfIncorporationStateOrProvinceName'	1.3.6.1.4.1.311.60.2.1.2
'JurisdictionOfIncorporationCountryName'	1.3.6.1.4.1.311.60.2.1.3
'TrademarkOfficeName'	1.3.6.1.4.1.53087.1.2
'TrademarkCountryOrRegionName'	1.3.6.1.4.1.53087.1.3
'TrademarkRegistration'	1.3.6.1.4.1.53087.1.4
'LegalEntityIdentifier'	1.3.6.1.4.1.53087.1.5
'WordMark'	1.3.6.1.4.1.53087.1.6
'MarkType'	1.3.6.1.4.1.53087.1.13
'StatuteCountryName'	1.3.6.1.4.1.53087.3.2
'StatuteStateOrProvinceName'	1.3.6.1.4.1.53087.3.3
'StatuteLocalityName'	1.3.6.1.4.1.53087.3.4
'StatuteCitation'	1.3.6.1.4.1.53087.3.5
'StatuteURL'	1.3.6.1.4.1.53087.3.6