Entrust provides the following multiuse profiles.
multiuse-p12-client
multiuse-p12-client-server
multiuse-p12-custom
- multiuse-p12-key-data-encipherment-non-repudiation-client
- multiuse-p12-key-data-encipherment-non-repudiation-client-server
multiuse-p12-key-encipherment-client
multiuse-p12-key-encipherment-client-server
multiuse-p12-key-encipherment-custom
multiuse-p12-key-encipherment-non-repudiation-client
multiuse-p12-key-encipherment-non-repudiation-client-server
multiuse-p12-key-encipherment-non-repudiation-custom
multiuse-p12-key-encipherment-non-repudiation-server
multiuse-p12-key-encipherment-server
multiuse-p12-non-repudiation-client
multiuse-p12-non-repudiation-client-server
multiuse-p12-non-repudiation-custom
multiuse-p12-non-repudiation-server
multiuse-p12-server
These profiles support the following features.
Multiuse use cases
All multiuse profiles support the following use cases.
- ECS Enterprise UI
- CA Gateway API
Multiuse issuance modes
All multiuse profiles support the following issuance modes:
- Issue the certificate from a CSR.
- Issue the certificate and an RSA2048 private key in a P12 file.
Multiuse key usages
See below the Key Usage and Extended Key Usage (EKU) extension values each multiuse profile supports.
Profile Name | Key Usage | Extended Key Usage | Allows Extended Key Usage in request |
|---|---|---|---|
multiuse-p12-client | Digital Signature, Key Agreement | TLS client Authentication (1.3.6.1.5.5.7.3.2) |
|
multiuse-p12-client-server | Digital Signature, Key Agreement | TLS client Authentication (1.3.6.1.5.5.7.3.2) TLS server authentication (1.3.6.1.5.5.7.3.1) |
|
multiuse-p12-custom | Digital Signature, Key Agreement | No constraints |
|
multiuse-p12-key-data-encipherment-non-repudiation-client | Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment | TLS client Authentication (1.3.6.1.5.5.7.3.2) |
|
multiuse-p12-key-data-encipherment-non-repudiation-client-server | Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment | TLS client Authentication (1.3.6.1.5.5.7.3.2) |
|
multiuse-p12-key-encipherment-client | Digital Signature, Key Agreement, Key Encipherment | TLS client Authentication (1.3.6.1.5.5.7.3.2) |
|
multiuse-p12-key-encipherment-client-server | Digital Signature, Key Agreement, Key Encipherment | TLS client Authentication (1.3.6.1.5.5.7.3.2) TLS server authentication (1.3.6.1.5.5.7.3.1) |
|
multiuse-p12-key-encipherment-custom | Digital Signature, Key Agreement, Key Encipherment | No constraints |
|
multiuse-p12-key-encipherment-non-repudiation-client | Digital Signature, Key Agreement, Key Encipherment, Non-Repudation | TLS client Authentication (1.3.6.1.5.5.7.3.2) |
|
multiuse-p12-key-encipherment-non-repudiation-client-server | Digital Signature, Key Agreement, Key Encipherment, Non-Repudation | TLS client Authentication (1.3.6.1.5.5.7.3.2) TLS server authentication (1.3.6.1.5.5.7.3.1) |
|
multiuse-p12-key-encipherment-non-repudiation-custom | Digital Signature, Key Agreement, Key Encipherment, Non-Repudation | No constraints |
|
multiuse-p12-key-encipherment-non-repudiation-server | Digital Signature, Key Agreement, Key Encipherment, Non-Repudation | TLS server authentication (1.3.6.1.5.5.7.3.1) |
|
multiuse-p12-key-encipherment-server | Digital Signature, Key Agreement, Key Encipherment | TLS server authentication (1.3.6.1.5.5.7.3.1) |
|
multiuse-p12-non-repudiation-client | Digital Signature, Key Agreement, Non-Repudation | TLS client Authentication (1.3.6.1.5.5.7.3.2) |
|
multiuse-p12-non-repudiation-client-server | Digital Signature, Key Agreement, Non-Repudation | TLS client Authentication (1.3.6.1.5.5.7.3.2) TLS server authentication (1.3.6.1.5.5.7.3.1) |
|
multiuse-p12-non-repudiation-custom | Digital Signature, Key Agreement, Non-Repudation | No constraints |
|
multiuse-p12-non-repudiation-server | Digital Signature, Key Agreement, Non-Repudation | TLS server authentication (1.3.6.1.5.5.7.3.1) |
|
multiuse-p12-server | Digital Signature, Key Agreement | TLS server authentication (1.3.6.1.5.5.7.3.1) |
|
Multiuse request extensions
All multiuse profiles support the following non-critical extensions in request.
Extension | OID |
|---|---|
ApplicationPolicies | 1.3.6.1.4.1.311.21.10 |
CertificatePolicies | 2.5.29.32 |
Multiuse certificate fields
All multiuse profiles set the following certificate fields.
Field | Value |
|---|---|
Issuer | Customer's subordinate issuing CA. |
Subject | No constraint. |
Validity period | Less than or equal to the expiry of the issuing CA. Defaults to 1 year if not specified in the request. |
Multiuse certificate extensions
All multiuse profiles set the following certificate extensions.
Extension | Critical | Value |
|---|---|---|
AIA | No | Supplied if the customer enables OCSP when creating the CA |
Authority Key Identifier | No | Matches subjectKeyIdentifier of the signing certificate |
Basic Constraints | Yes | cA =False |
CRL Distribution Points | No | Always present |
Key Usage | Yes | Digital Signature, Key Encipherment |
Subject Alternative Name | No | No constraints |
Subject Key Identifier | No | «The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2 |
Multiuse algorithm constraints
All multiuse profiles support the following key and signature algorithms.
Key algorithm | Signature algorithm |
|---|---|
ECDSA P-256 | ecdsa-with-SHA256 |
ECDSA P-384 | ecdsa-with-SHA384 |
ECDSA P-521 | ecdsa-with-SHA512 |
RSA 2048 | sha256WithRSAEncryption |
RSA 3072 | sha256WithRSAEncryption |
RSA 4096 | sha512WithRSAEncryption |
The NIST will deprecate some algorithms after Dec 31, 2030. See https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf
Multiuse distinguished names
Entrust has no restriction on Distinguished Names (DNs) per certificate profile. All certificate profiles support the following identifiers.
Alias | OID |
|---|---|
'CN' 'CommonName' | 2.5.4.3 |
'SN' 'SurName' | 2.5.4.4 |
'SERIALNUMBER' 'DeviceSerialNumber' | 2.5.4.5 |
'C' 'Country' | 2.5.4.6 |
'L' 'Locality' | 2.5.4.7 |
'ST' 'S' 'State' | 2.5.4.8 |
'STREET' 'StreetAddress' | 2.5.4.9 |
'O' 'Org' 'Organization' | 2.5.4.10 |
'OU' 'OrganizationalUnit' 'OrganizationUnit' 'OrgUnit' | 2.5.4.11 |
'T' 'Title' | 2.5.4.12 |
'BUSINESSCATEGORY' | 2.5.4.15 |
'POSTALCODE' | 2.5.4.17 |
'givenName' 'G' | 2.5.4.42 |
'I' 'Initials' | 2.5.4.43 |
'ORGANIZATIONIDENTIFIER' | 2.5.4.97 |
'UID' | 0.9.2342.19200300.100.1.1 |
'DC' 'DomainComponent' | 0.9.2342.19200300.100.1.25 |
'Email' 'E' | 1.2.840.113549.1.9.1 |
'unstructuredName' | 1.2.840.113549.1.9.2 |
'unstructuredAddress' | 1.2.840.113549.1.9.8 |
'JurisdictionOfIncorporationLocalityName' | 1.3.6.1.4.1.311.60.2.1.1 |
'JurisdictionOfIncorporationStateOrProvinceName' | 1.3.6.1.4.1.311.60.2.1.2 |
'JurisdictionOfIncorporationCountryName' | 1.3.6.1.4.1.311.60.2.1.3 |
'TrademarkOfficeName' | 1.3.6.1.4.1.53087.1.2 |
'TrademarkCountryOrRegionName' | 1.3.6.1.4.1.53087.1.3 |
'TrademarkRegistration' | 1.3.6.1.4.1.53087.1.4 |
'LegalEntityIdentifier' | 1.3.6.1.4.1.53087.1.5 |
'WordMark' | 1.3.6.1.4.1.53087.1.6 |
'MarkType' | 1.3.6.1.4.1.53087.1.13 |
'StatuteCountryName' | 1.3.6.1.4.1.53087.3.2 |
'StatuteStateOrProvinceName' | 1.3.6.1.4.1.53087.3.3 |
'StatuteLocalityName' | 1.3.6.1.4.1.53087.3.4 |
'StatuteCitation' | 1.3.6.1.4.1.53087.3.5 |
'StatuteURL' | 1.3.6.1.4.1.53087.3.6 |