Azure Firewall Intermediate CA certificate profile

The Azure Firewall Intermediate CA service provides a azure-firewall-ca-subord profile with the following settings.

This certificate profile is only available for the root CA.

Follow the Microsoft Azure Intermediate requirements to generate the CSR before requesting the CA certificate from PKIaaS.

Azure Firewall Subordinate CA signing use cases

The azure-firewall-ca-subord profile supports the following use cases.

ECS Enterprise UI

CA Gateway API

Entrust-hosted Enrollment Gateway

On-prem Enrollment Gateway

images/s/3qjijh/8804/47zayh/_/images/icons/emoticons/check.svg

images/s/3qjijh/8804/47zayh/_/images/icons/emoticons/check.svg

images/s/3qjijh/8804/47zayh/_/images/icons/emoticons/error.svg

images/s/3qjijh/8804/47zayh/_/images/icons/emoticons/error.svg

Azure Firewall Subordinate CA request extensions

The azure-firewall-ca-subord profile supports the following non-critical extensions in request.

Extension name

Extension OID

Certificate Policies

2.5.29.32

Azure Firewall Subordinate CA certificate fields

The azure-firewall-ca-subord profile sets the following certificate fields.

Field

Value

Issuer

Customer's subordinate issuing CA.

Subject

No constraint

Validity period

Defaults to 1 year if not specified.

Azure Firewall Subordinate CA certificate extensions

The azure-firewall-ca-subord profile sets the following certificate extensions.

Extension

Critical

Value

AIA

No

Supplied if the customer enables OCSP when creating the CA

Authority Key Identifier

No

Matches subjectKeyIdentifier of the signing certificate

Basic Constraints

Yes

cA=True, pathLenConstraint=1

CRL Distribution Points

No

Always present

Key Usage

Yes

Certificate Signing, CRL Signing , Digital Signature

Subject Alternative Name

No

No constraints

Subject Key Identifier

No

«The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2

Azure Firewall Subordinate CA algorithm constraints

The azure-firewall-ca-subord profile supports the following key and signature algorithms.

Key algorithm

Signature algorithm

ECDSA P-256

ecdsa-with-SHA256

ECDSA P-384

ecdsa-with-SHA384

ECDSA P-521

ecdsa-with-SHA512

RSA 2048

sha256WithRSAEncryption

RSA 3072

sha256WithRSAEncryption

RSA 4096

sha512WithRSAEncryption

Azure Firewall Subordinate CA distinguished names

PKIaaS has no restriction on Distinguished Names (DNs) per certificate profile. All certificate profiles support the following identifiers.

Alias

OID

'CN' 'CommonName'

2.5.4.3

'SN' 'SurName'

2.5.4.4

'SERIALNUMBER' 'DeviceSerialNumber'

2.5.4.5

'C' 'Country'

2.5.4.6

'L' 'Locality'

2.5.4.7

'ST' 'S' 'State'

2.5.4.8

'STREET' 'StreetAddress'

2.5.4.9

'O' 'Org' 'Organization'

2.5.4.10

'OU' 'OrganizationalUnit' 'OrganizationUnit' 'OrgUnit'

2.5.4.11

'T' 'Title'

2.5.4.12

'BUSINESSCATEGORY'

2.5.4.15

'POSTALCODE'

2.5.4.17

'givenName' 'G'

2.5.4.42

'I' 'Initials'

2.5.4.43

'ORGANIZATIONIDENTIFIER'

2.5.4.97

'UID'

0.9.2342.19200300.100.1.1

'DC' 'DomainComponent'

0.9.2342.19200300.100.1.25

'Email' 'E'

1.2.840.113549.1.9.1

'unstructuredName'

1.2.840.113549.1.9.2

'unstructuredAddress'

1.2.840.113549.1.9.8

'JurisdictionOfIncorporationLocalityName'

1.3.6.1.4.1.311.60.2.1.1

'JurisdictionOfIncorporationStateOrProvinceName'

1.3.6.1.4.1.311.60.2.1.2

'JurisdictionOfIncorporationCountryName'

1.3.6.1.4.1.311.60.2.1.3

'TrademarkOfficeName'

1.3.6.1.4.1.53087.1.2

'TrademarkCountryOrRegionName'

1.3.6.1.4.1.53087.1.3

'TrademarkRegistration'

1.3.6.1.4.1.53087.1.4

'LegalEntityIdentifier'

1.3.6.1.4.1.53087.1.5

'WordMark'

1.3.6.1.4.1.53087.1.6

'MarkType'

1.3.6.1.4.1.53087.1.13

'StatuteCountryName'

1.3.6.1.4.1.53087.3.2

'StatuteStateOrProvinceName'

1.3.6.1.4.1.53087.3.3

'StatuteLocalityName'

1.3.6.1.4.1.53087.3.4

'StatuteCitation'

1.3.6.1.4.1.53087.3.5

'StatuteURL'

1.3.6.1.4.1.53087.3.6