Skip to content

Add profile for Cross-Certified Subordinate CA Certificates #344

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aarongable merged 2 commits into from
May 12, 2026
+20 −4
Merged

Add profile for Cross-Certified Subordinate CA Certificates #344

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f65dfe8
Add profile for Cross-Certified Subordinate CA Certificates
aarongable May 9, 2026
f6c4c42
Apply suggestions from code review
aarongable May 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 20 additions & 4 deletions CP-CPS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -986,9 +986,9 @@ See [Section 5.5.5](#555-requirements-for-time-stamping-of-records).

## 7.1 Certificate profile

All fields are as specified in RFC 5280 and the Baseline Requirements, including fields and extensions not specifically mentioned.
All ISRG Certificates adhere to one of the following Certificate Profiles, which are derived from the profiles with the same names found in Section 7.1.2 of the Baseline Requirements. Fields and extensions not specifically mentioned are as specified in RFC 5280 and the Baseline Requirements.

### Root CA Certificate
### Root CA Certificate Profile

| Field or extension | Value |
| ------------------------------ | ------------------------------------------------------------------------|
Expand All @@ -1000,7 +1000,23 @@ All fields are as specified in RFC 5280 and the Baseline Requirements, including
| Subject Public Key | See Sections 6.1.5, 6.1.6, and 7.1.3.1 |
| Key Usage | keyCertSign, cRLSign (critical) |

### Subordinate CA Certificate
### Cross-Certified Subordinate CA Certificate Profile
Copy link
Copy Markdown
Contributor

@jsha jsha May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This section doesn't specify AKID or SKID, which are MUST in the BRs: https://cabforum.org/working-groups/server/baseline-requirements/requirements/#71223-cross-certified-subordinate-ca-extensions. Am I correct in assuming we omit them because they're adequately specified in the BRs? The BRs also specify version and signature, which we omit in all our CP-CPS profiles. But on the other hand, our specification of Serial Number is just a partial restatement of what's in the BRs.

Copy link
Copy Markdown
Contributor Author

@aarongable aarongable May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Absolutely agreed that the set of things we choose to talk about here is not logical. But I don't want to upend that in this PR; we'll save that for the much bigger CP/CPS changes that happen as part of our remediation items and in preparation for compliance with updated Apple and Mozilla policies regarding CPS content.


| Field or extension | Value |
| ------------------------------ | ----------------------------------------------------------------------------- |
| Serial Number | Unique, with 64 bits of output from a CSPRNG |
| Issuer Distinguished Name | Derived from Issuer certificate |
| Subject Distinguished Name | Identical to the existing CA certificate |
| Validity Period | Up to 8 years |
| Basic Constraints | Identical to the existing CA certificate |
| Key Usage | Identical to the existing CA certificate |
| Extended Key Usage | TLS Server Authentication and optionally TLS Client Authentication |
| Certificate Policies | CAB Forum Domain Validated (2.23.140.1.2.1) |
| Authority Information Access | Contains CA Issuers URL and optionally an OCSP URL; URLs vary based on Issuer |
| Subject Public Key | Identical to the existing CA certificate |
Comment thread
aarongable marked this conversation as resolved.
| CRL Distribution Points | Contains a CRL URL; URL varies based on Issuer |

### TLS Subordinate CA Certificate Profile

| Field or extension | Value |
| ------------------------------ | ----------------------------------------------------------------------------- |
Expand All @@ -1016,7 +1032,7 @@ All fields are as specified in RFC 5280 and the Baseline Requirements, including
| Subject Public Key | See Sections 6.1.5, 6.1.6, and 7.1.3.1 |
| CRL Distribution Points | Contains a CRL URL; URL varies based on Issuer |

### DV-SSL Subscriber Certificate
### Subscriber (End-Entity) Certificate and Precertificate Profile

| Field or extension | Value |
| --------------------------------- | --------------------------------------------------------------------------------- |
Expand Down
Loading