Private SSL (ACMEv2) certificate profiles

PKIaaS provides the following Private SSL (ACMEv2) certificate profiles.

  • privatessl-tls-client

  • privatessl-tls-client-server

  • privatessl-tls-client-server-data-encipherment

  • privatessl-tls-client-server-supply-san

  • privatessl-tls-server

  • privatessl-tls-server-supply-san

These profiles support the following features.

Private SSL use cases

All private SSL profiles support the following use cases.

ECS Enterprise UI

CA Gateway API

Entrust-hosted Enrollment Gateway

On-prem Enrollment Gateway

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/check.svg

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/check.svg

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/error.svg

images/s/by4ula/8804/47zayh/_/images/icons/emoticons/check.svg

Private SSL key usages

See below the Key Usage and Extended Key Usage (EKU) extension values each private SSL profile supports.

Profile

Key Usage

Extended Key Usage

privatessl-tls-client

Digital Signature

TLS client authentication (1.3.6.1.5.5.7.3.2)

privatessl-tls-client-server

Digital Signature

TLS client authentication (1.3.6.1.5.5.7.3.2)

TLS server authentication (1.3.6.1.5.5.7.3.1)

privatessl-tls-client-server-data-encipherment

Digital Signature, Data Encipherment

TLS client authentication (1.3.6.1.5.5.7.3.2)

TLS server authentication (1.3.6.1.5.5.7.3.1)

privatessl-tls-client-server-supply-san

Digital Signature

TLS client authentication (1.3.6.1.5.5.7.3.2)

TLS server authentication (1.3.6.1.5.5.7.3.1)

privatessl-tls-server

Digital Signature

TLS server authentication (1.3.6.1.5.5.7.3.1)

privatessl-tls-server-supply-san

Digital Signature

TLS server authentication (1.3.6.1.5.5.7.3.1)

Private SSL fill_san_dns_with_cn

When the fill_san_dns_with_cn parameter is True, the profile copies in the SubjectAltname extension all the CN fields:

  • included in the Subject extension, and

  • not already in the SubjectAltname extension (to avoid duplicated entries).

See below the value of this parameter in each profile.

Profile

fill_san_dns_with_cn

privatessl-tls-client

False

privatessl-tls-client-server

False

privatessl-tls-client-server-data-encipherment

False

privatessl-tls-client-server-supply-san

True

privatessl-tls-server

False

privatessl-tls-server-supply-san

True

Private SSL request extensions

All private SSL profiles support the following non-critical extensions in request.

Extension Name

Extension OID

Application Policies

1.3.6.1.4.1.311.21.10

Certificate Policies

2.5.29.32

Private SSL certificate fields

All Private SSL profiles set the following certificate fields.

Field

Value

Issuer

Customer's subordinate issuing CA.

Subject

No constraint.

Validity period

Less than or equal to the expiry of the issuing CA. Defaults to 1 year if not specified in the request.

Private SSL certificate extensions

All private SSL profiles set the following certificate extensions.

Extension

Critical

Value

AIA

No

Supplied if the customer enables OCSP when creating the CA

Authority Key Identifier

No

Matches subjectKeyIdentifier of the signing certificate

Basic Constraints

Yes

cA =False

CRL Distribution Points

No

Always present

Subject Alternative Name

No

No constraints

Subject Key Identifier

No

«The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2

Private SSL algorithm constraints

All private SSL profiles support the following key and signature algorithms.

Key algorithm

Signature algorithm

ECDSA P-256

ecdsa-with-SHA256

ECDSA P-384

ecdsa-with-SHA384

ECDSA P-521

ecdsa-with-SHA512

RSA 2048

sha256WithRSAEncryption

RSA 3072

sha256WithRSAEncryption

RSA 4096

sha512WithRSAEncryption

Private SSL distinguished names

PKIaaS has no restriction on Distinguished Names (DNs) per certificate profile. All certificate profiles support the following identifiers.

Alias

OID

'CN' 'CommonName'

2.5.4.3

'SN' 'SurName'

2.5.4.4

'SERIALNUMBER' 'DeviceSerialNumber'

2.5.4.5

'C' 'Country'

2.5.4.6

'L' 'Locality'

2.5.4.7

'ST' 'S' 'State'

2.5.4.8

'STREET' 'StreetAddress'

2.5.4.9

'O' 'Org' 'Organization'

2.5.4.10

'OU' 'OrganizationalUnit' 'OrganizationUnit' 'OrgUnit'

2.5.4.11

'T' 'Title'

2.5.4.12

'BUSINESSCATEGORY'

2.5.4.15

'POSTALCODE'

2.5.4.17

'givenName' 'G'

2.5.4.42

'I' 'Initials'

2.5.4.43

'ORGANIZATIONIDENTIFIER'

2.5.4.97

'UID'

0.9.2342.19200300.100.1.1

'DC' 'DomainComponent'

0.9.2342.19200300.100.1.25

'Email' 'E'

1.2.840.113549.1.9.1

'unstructuredName'

1.2.840.113549.1.9.2

'unstructuredAddress'

1.2.840.113549.1.9.8

'JurisdictionOfIncorporationLocalityName'

1.3.6.1.4.1.311.60.2.1.1

'JurisdictionOfIncorporationStateOrProvinceName'

1.3.6.1.4.1.311.60.2.1.2

'JurisdictionOfIncorporationCountryName'

1.3.6.1.4.1.311.60.2.1.3

'TrademarkOfficeName'

1.3.6.1.4.1.53087.1.2

'TrademarkCountryOrRegionName'

1.3.6.1.4.1.53087.1.3

'TrademarkRegistration'

1.3.6.1.4.1.53087.1.4

'LegalEntityIdentifier'

1.3.6.1.4.1.53087.1.5

'WordMark'

1.3.6.1.4.1.53087.1.6

'MarkType'

1.3.6.1.4.1.53087.1.13

'StatuteCountryName'

1.3.6.1.4.1.53087.3.2

'StatuteStateOrProvinceName'

1.3.6.1.4.1.53087.3.3

'StatuteLocalityName'

1.3.6.1.4.1.53087.3.4

'StatuteCitation'

1.3.6.1.4.1.53087.3.5

'StatuteURL'

1.3.6.1.4.1.53087.3.6