Skip to content

Commit 675fb3e

Browse files
aarongableaarongable
authored
Add profile for Cross-Certified Subordinate CA Certificates (#344)
This CP/CPS previously only had a profile for Subordinate CA Certificates. The values listed in that profile were appropriate for issuing intermediates, but not appropriate for cross-signed roots. Add a profile specifically for "Cross-Certified Subordinate CA Certificates" (as Section 7.1.2.2 of the Baseline Requirements calls them) with values showing which fields are identical to the pre-existing certificate.
1 parent 1a0aae0 commit 675fb3e

1 file changed

Lines changed: 20 additions & 4 deletions

File tree

CP-CPS.md

Lines changed: 20 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -986,9 +986,9 @@ See [Section 5.5.5](#555-requirements-for-time-stamping-of-records).
986986

987987
## 7.1 Certificate profile
988988

989-
All fields are as specified in RFC 5280 and the Baseline Requirements, including fields and extensions not specifically mentioned.
989+
All ISRG Certificates adhere to one of the following Certificate Profiles, which are derived from the profiles with the same names found in Section 7.1.2 of the Baseline Requirements. Fields and extensions not specifically mentioned are as specified in RFC 5280 and the Baseline Requirements.
990990

991-
### Root CA Certificate
991+
### Root CA Certificate Profile
992992

993993
| Field or extension | Value |
994994
| ------------------------------ | ------------------------------------------------------------------------|
@@ -1000,7 +1000,23 @@ All fields are as specified in RFC 5280 and the Baseline Requirements, including
10001000
| Subject Public Key | See Sections 6.1.5, 6.1.6, and 7.1.3.1 |
10011001
| Key Usage | keyCertSign, cRLSign (critical) |
10021002

1003-
### Subordinate CA Certificate
1003+
### Cross-Certified Subordinate CA Certificate Profile
1004+
1005+
| Field or extension | Value |
1006+
| ------------------------------ | ----------------------------------------------------------------------------- |
1007+
| Serial Number | Unique, with 64 bits of output from a CSPRNG |
1008+
| Issuer Distinguished Name | Derived from Issuer certificate |
1009+
| Subject Distinguished Name | Identical to the existing CA certificate |
1010+
| Validity Period | Up to 8 years |
1011+
| Basic Constraints | Identical to the existing CA certificate |
1012+
| Key Usage | Identical to the existing CA certificate |
1013+
| Extended Key Usage | TLS Server Authentication and optionally TLS Client Authentication |
1014+
| Certificate Policies | CAB Forum Domain Validated (2.23.140.1.2.1) |
1015+
| Authority Information Access | Contains CA Issuers URL and optionally an OCSP URL; URLs vary based on Issuer |
1016+
| Subject Public Key | Identical to the existing CA certificate |
1017+
| CRL Distribution Points | Contains a CRL URL; URL varies based on Issuer |
1018+
1019+
### TLS Subordinate CA Certificate Profile
10041020

10051021
| Field or extension | Value |
10061022
| ------------------------------ | ----------------------------------------------------------------------------- |
@@ -1016,7 +1032,7 @@ All fields are as specified in RFC 5280 and the Baseline Requirements, including
10161032
| Subject Public Key | See Sections 6.1.5, 6.1.6, and 7.1.3.1 |
10171033
| CRL Distribution Points | Contains a CRL URL; URL varies based on Issuer |
10181034

1019-
### DV-SSL Subscriber Certificate
1035+
### Subscriber (End-Entity) Certificate and Precertificate Profile
10201036

10211037
| Field or extension | Value |
10221038
| --------------------------------- | --------------------------------------------------------------------------------- |

0 commit comments

Comments
 (0)