Entrust provides the following smartcard certificate profiles.

  • smartcard-card-authentication
  • smartcard-digital-signature
  • smartcard-domain-controller
  • smartcard-key-management
  • smartcard-piv-authentication
  • smartcard-piv-content-signing

These profiles support the following features.

Smartcard use cases

All smartcard profiles support the following use cases.

  • ECS Enterprise UI
  • CA Gateway API

Smartcard key usages and request extensions

See below the Key Usage and Extended Key Usage (EKU) extension values each smartcard profile supports.

Profile

Key Usage

Extended Key Usage

Allowed in request

smartcard-card-authentication

Digital Signature

No constraints

PIV Interim Indicator (2.16.840.1.101.3.6.9.1)

Security ID (1.3.6.1.4.1.311.25.2)

smartcard-digital-signature

Digital Signature, Non-Repudiation

No constraints

PIV Interim Indicator (2.16.840.1.101.3.6.9.1)

Security ID (1.3.6.1.4.1.311.25.2)

smartcard-domain-controller

Digital Signature, Key Encipherment

TLS server authentication (1.3.6.1.5.5.7.3.1)

TLS client authentication (1.3.6.1.5.5.7.3.2)

smartcard-key-management

Key Encipherment

No constraints

PIV Interim Indicator (2.16.840.1.101.3.6.9.1)

Security ID (1.3.6.1.4.1.311.25.2)

smartcard-piv-authentication

Digital Signature

Any Extended Key Usage (2.5.29.37.0)

Microsoft Smart Card Login (1.3.6.1.4.1.311.20.2.2)

TLS client authentication (1.3.6.1.5.5.7.3.2)

PIV Interim Indicator (2.16.840.1.101.3.6.9.1)

Security ID (1.3.6.1.4.1.311.25.2)

smartcard-piv-content-signing

Digital Signature, Non-Repudiation

No constraints

Smartcard certificate fields

All smartcard profiles set the following certificate fields.

Field

Value

Issuer

Customer's subordinate issuing CA.

Subject

No constraint.

Validity period

Less than or equal to the expiry of the issuing CA. Defaults to 1 year if not specified in the request.

Smartcard certificate extensions

All smartcard profiles set the following certificate extensions.

Extension

Critical

Value

AIA

No

Supplied if the customer enables OCSP when creating the CA

Authority Key Identifier

No

Matches subjectKeyIdentifier of the signing certificate

Basic Constraints

Yes

cA =False

CRL Distribution Points

No

Always present

Subject Alternative Name

No

No constraints

Subject Key Identifier

No

«The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2

Smartcard algorithm constraints

All smartcard profiles support the following key and signature algorithms.

Key algorithm

Signature algorithm

ECDSA P-256

ecdsa-with-SHA256

ECDSA P-384

ecdsa-with-SHA384

ECDSA P-521

ecdsa-with-SHA512

RSA 2048

sha256WithRSAEncryption

RSA 3072

sha256WithRSAEncryption

RSA 4096

sha512WithRSAEncryption

The NIST will deprecate some algorithms after Dec 31, 2030. See https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf

Smartcard distinguished names

Entrust has no restriction on Distinguished Names (DNs) per certificate profile. All certificate profiles support the following identifiers.

Alias

OID

'CN' 'CommonName'

2.5.4.3

'SN' 'SurName'

2.5.4.4

'SERIALNUMBER' 'DeviceSerialNumber'

2.5.4.5

'C' 'Country'

2.5.4.6

'L' 'Locality'

2.5.4.7

'ST' 'S' 'State'

2.5.4.8

'STREET' 'StreetAddress'

2.5.4.9

'O' 'Org' 'Organization'

2.5.4.10

'OU' 'OrganizationalUnit' 'OrganizationUnit' 'OrgUnit'

2.5.4.11

'T' 'Title'

2.5.4.12

'BUSINESSCATEGORY'

2.5.4.15

'POSTALCODE'

2.5.4.17

'givenName' 'G'

2.5.4.42

'I' 'Initials'

2.5.4.43

'ORGANIZATIONIDENTIFIER'

2.5.4.97

'UID'

0.9.2342.19200300.100.1.1

'DC' 'DomainComponent'

0.9.2342.19200300.100.1.25

'Email' 'E'

1.2.840.113549.1.9.1

'unstructuredName'

1.2.840.113549.1.9.2

'unstructuredAddress'

1.2.840.113549.1.9.8

'JurisdictionOfIncorporationLocalityName'

1.3.6.1.4.1.311.60.2.1.1

'JurisdictionOfIncorporationStateOrProvinceName'

1.3.6.1.4.1.311.60.2.1.2

'JurisdictionOfIncorporationCountryName'

1.3.6.1.4.1.311.60.2.1.3

'TrademarkOfficeName'

1.3.6.1.4.1.53087.1.2

'TrademarkCountryOrRegionName'

1.3.6.1.4.1.53087.1.3

'TrademarkRegistration'

1.3.6.1.4.1.53087.1.4

'LegalEntityIdentifier'

1.3.6.1.4.1.53087.1.5

'WordMark'

1.3.6.1.4.1.53087.1.6

'MarkType'

1.3.6.1.4.1.53087.1.13

'StatuteCountryName'

1.3.6.1.4.1.53087.3.2

'StatuteStateOrProvinceName'

1.3.6.1.4.1.53087.3.3

'StatuteLocalityName'

1.3.6.1.4.1.53087.3.4

'StatuteCitation'

1.3.6.1.4.1.53087.3.5

'StatuteURL'

1.3.6.1.4.1.53087.3.6