Entrust provides the following basic profiles for root Certificate Authorities, issuing Certificate Authorities, and Validation Authorities (OCSP).
- basic-ca-root
- basic-ca-subord
- basic-ocsp
These profiles are not exposed nor configurable. External root CAs are not covered by this profile.
See below a description of these profiles.
Key and signature algorithms
All authority basic profiles support the following key and signature algorithms.
Key algorithm | Signature algorithm |
|---|---|
ECDSA P-256 | ecdsa-with-SHA256 |
ECDSA P-384 | ecdsa-with-SHA384 |
ECDSA P-521 | ecdsa-with-SHA512 |
RSA 2048 | sha256WithRSAEncryption |
RSA 3072 | sha256WithRSAEncryption |
RSA 4096 | sha512WithRSAEncryption |
The NIST will deprecate some algorithms after Dec 31, 2030. See https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf
Certificate fields
The authority basic profiles set the following certificate fields.
Field | basic-ca-root | basic-ca-subord | basic-ocsp |
|---|---|---|---|
Issuer | Self-signed | Customer's online root CA | Customer's online root/issuing CA |
Subject | No constraint | No constraint | No constraint |
Validity period | Less than or equal to 20 years | Less than or equal to 10 years. The subordinate expiry cannot exceed the root validity. | 30 days |
Certificate critical extensions
The authority basic profiles set the following certificate critical extensions.
Extension | basic-ca-root | basic-ca-subord | basic-ocsp |
|---|---|---|---|
Basic Constraints | cA=True | cA=True, pathLenConstraint=0 | cA = False |
Extended Key Usage | Never present | Never present | OCSP Signing |
Key Usage | digitalSignature, keyCertSign, cRLSign | digitalSignature, keyCertSign, cRLSign | digitalSignature, keyCertSign, cRLSign |
Certificate non-critical extensions
The authority basic profiles set the following non-critical certificate extensions.
Extension | basic-ca-root | basic-ca-subord | basic-ocsp |
|---|---|---|---|
AIA | Never present | Supplied when the customer enables OCSP on CA creation | Always present |
Authority Key Identifier | Never present | Matches subjectKeyIdentifier of the signing certificate | Matches subjectKeyIdentifier of the signing certificate |
CRL Distribution Points | Never present (not applicable) | Always present | Always present |
OCSP | Never present | Never present | No check |
Subject Key Identifier | «The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2 | «The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2 | «The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2 |