Version 3 Extensions
An X.509 version 3 certificate contains the fields defined in version 1 and version 2 and adds certificate extensions. The ASN.1 syntax of certificate extensions is shown in the following example.
---------------------------------------------------------------------
-- Extensions (beginning with version 3).
---------------------------------------------------------------------
Extensions ::= SEQUENCE OF Extension
Extension ::= SEQUENCE
{
Id OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING
}
The standard version 3 extensions and their object identifiers (OIDs) are listed in the following table. Microsoft supports these and includes additional custom extensions. For more information, see Extensions.
| Extension | Description |
|---|---|
| Authority Key Identifier(2.5.29.35) | Identifies the certification authority (CA) public key that corresponds to the CA private key used to sign the certificate. |
| Basic Constraints(2.5.29.19) | Specifies whether the entity can be used as a CA and, if so, the number of subordinate CAs that can exist beneath it in the certificate chain. |
| Certificate Policies(2.5.29.32) | Specifies the policies under which the certificate has been issued and the purposes for which it can be used. |
| CRL Distribution Points(2.5.29.31) | Contains the URI of the base certificate revocation list (CRL). |
| Enhanced Key Usage(2.5.29.46) | Specifies the manner in which the public key contained in the certificate can be used. |
| Issuer Alternative Name(2.5.29.8) | Specifies one or more alternative name forms for the issuer of the certificate request. |
| Key Usage(2.5.29.15) | Specifies restrictions on the operations that can be performed by the public key contained in the certificate. |
| Name Constraints(2.5.29.30) | Specifies the namespace within which all subject names in a certificate hierarchy must be located. The extension is used only in a CA certificate. |
| Policy Constraints(2.5.29.36) | Constrains path validation by prohibiting policy mapping or by requiring that each certificate in the hierarchy contain an acceptable policy identifier. The extension is used only in a CA certificate. |
| Policy Mappings(2.5.29.33) | Specifies the policies in a subordinate CA that correspond to policies in the issuing CA. |
| Private Key Usage Period(2.5.29.16) | Specifies a different validity period for the private key than for the certificate with which the private key is associated. |
| Subject Alternative Name(2.5.29.17) | Specifies one or more alternative name forms for the subject of the certificate request. Example alternative forms include email addresses, DNS names, IP addresses, and URIs. |
| Subject Directory Attributes(2.5.29.9) | Conveys identification attributes such as the nationality of the certificate subject. The extension value is a sequence of OID-value pairs. |
| Subject Key Identifier(2.5.29.14) | Differentiates between multiple public keys held by the certificate subject. The extension value is typically a SHA-1 hash of the key. |