Profiles of the certificates used
In the public administration PKI (Public Key Infrastructure), certificates in the X.509v3 (international standard for public key certificates, version 3) format following the MTTv2 (Mail Trust, version 2) specification are used: these hold data about the validity period, the signature algorithm used, the key length, the certificate holder and the issuer. With the certificate extensions defined in X.509, the informational content of the certificate can be extended to include other details. A distinction is made between extensions (which among other things permit statements to be made about intended use or validation options) that need to be interpreted by Sphinx-compliant components and those that do not. This interpretation is mandatory for the 'KeyUsage' and 'BasicConstraints' extensions, assuming that they are included in the certificate. They are therefore marked as 'critical' in the certificate.
The 'BasicConstraints' extension permits the definition of restrictions within the PKI and ensures that only certificate authorities can create certificates -- but subscribers cannot. The length of the certificate path can also be limited.
The usage properties of the public keys are defined by using the 'KeyUsage' extension. Within CA (Certificate Authority) and PCA (Policy Certificate Authority) certificates, options are restricted to the attributes 'keyCertSign' (signature of public keys) and 'cRLSign' (signature of revocation lists). In contrast, end-user certificates use the attributes 'digitalSignature' for authentication, 'nonRepudation' for the electronic signature and 'keyEncipherment' for encryption.
The 'CertificatePolicies' extension is used to assign the certificate to the Certificate Policy: this policy sets out the requirements that need to be met as well as the purposes for which certificates can be created and used within this PKI.
The 'CRLDistributionPoint' extension defines the location at which revocation lists will be provided for verifying certificate validity.
At any one time, certificate authorities can have multiple keys in use with which certificates and revocation lists can be signed. The 'AuthorityKeyIdentifier' extension can be used to distinguish these keys from one another and to ensure that the certificate path is unambiguous. To this end, the certificate issuer and serial number particulars of the CA certificate are used.
The 'SubjectKeyIdentifier' extension enables the identification of a specific public key held by the certificate owner. This corresponds to the information in the 'AuthorityKeyIdentifier' extension and simplifies the correct construction of the certificate path.
The 'SubjectAltName' extension can be used to assign the certificate owner additional alternatives names, such as an e-mail address (rfc822 (Request for Comments #822)). Where necessary, this allows the e-mail client to verify that the sender address of the mail received matches one of the e-mail addresses that are specified in the sender's certificate.
- PCA certificate profile (PCA-1-Verwaltung-03)
- PCS certificate profile (IVBB-CA 2004)
- Subscriber certificate profile
PCA certificate profile
| Certificate field | Content | |
|---|---|---|
| Version | V 3 | |
| Serial number | 01 | |
| Signature algorithm | SHA-1/RSA | |
| Key length | 2048 bits | |
| Issuer | ||
| Common name | CN = PCA-1-Verwaltung | |
| Organisational unit name | ||
| Organisational name | O = PKI-1-Verwaltung | |
| Country name | C = DE | |
| Validity | ||
| Not before | Tuesday, 9 December 2003 10:09:58 | |
| Not after | Tuesday, 8 December 2009 10:06:39 | |
| Subject | ||
| Common name | CN = PCA-1-Verwaltung-03 | |
| Organisational unit name | ||
| Organisational name | O = PKI-1-Verwaltung | |
| Country name | C = DE | |
| Extensions | ||
| Certificate policies | Non-critical | 1.3.6.1.4.1.7924.1.1 |
| CRLDistributionPoint | Non-critical | URL=ldap://x500.bund.de/cn=PCA-1-Verwaltung-03,o=PKI-1-Verwaltung,c=de?certificateRevocationListURL=ldap://x500.bund.de/cgi-bin/show_attr?cn=PCA-1-Verwaltung-03&attr=crl |
| Authority Key Identifier | Non-critical | n/a; ROOT certificate |
| Subject Key Identifier | Non-critical | E40E D411 81CF 376E 3C28 913D 341A B417 4083 4CCA |
| Basic Constraints | Critical | Certificate Authority Path length = none |
| Key Usage | Critical | CertSign, CRLSign |
| Certificate fingerprint | SHA1 | 3411 770A 73A6 5C24 28AC BC72 7580 1C3E 6A95 4E6E |
CA certificate profile
| Certificate field | Content | |
|---|---|---|
| Version | V 3 | |
| Serial number | 196C | |
| Signature algorithm | SHA-1/RSA | |
| Key length | 2048 bits | |
| Issuer | ||
| Common name | CN = PCA-1-Verwaltung-03 | |
| Organisational unit name | ||
| Organisational name | O = PKI-1-Verwaltung | |
| Country name | C = DE | |
| Validity | ||
| Not before | Tuesday, 16 March 2004 15:16:52 | |
| Not after | Thursday, 10 April 2008 15:15:49 | |
| Subject | ||
| Common name | CN = CA IVBB Deutsche Telekom AG 04 | |
| Organisational unit name | OU = Bund | |
| Organisational name | O = PKI-1-Verwaltung | |
| Country name | C = DE | |
| Extensions | ||
| Certificate policies | Non-critical | Policy ID: 1.3.6.1.4.1.7924.1.1 |
| CRLDistributionPoint | Non-critical | URL=ldap://x500.bund.de/cn=PCA-1-Verwaltung-03,o=PKI-1-Verwaltung,c=de?certificateRevocationListURL=ldap://x500.bund.de/cgi-bin/show_attr?cn=PCA-1-Verwaltung&attr=crl |
| Authority Key Identifier | Non-critical | CN=PCA-1-Verwaltung-03, O=PKI-1-Verwaltung, C=de, Certificate serial number: 1 |
| Subject Key Identifier | Non-critical | 6A5E 8BEE DAD4 F135 F6CE 0823 623E 5E1D A2B3 2934 |
| Basic Constraints | Critical | Certificate Authority Path length = 3 |
| Key Usage | Critical | CertSign, CRLSign |
| Certificate fingerprint | SHA1 | 5D2B 70DD 1AB2 CD69 6B4B 1581 5D5D 1318 7289 1FA0 |
Subscriber certificate profile
| Certificate field | Content | |
|---|---|---|
| Version | V 3 | |
| Serial number | 112B | |
| Signature algorithm | SHA-1/RSA | |
| Key length | 1024 bits | |
| Issuer | ||
| Common name | CN = CA IVBB Deutsche Telekom AG 03 | |
| Organisational unit name | OU = Bund | |
| Organisational name | O = PKI-1-Verwaltung | |
| Country name | C = DE | |
| Validity | ||
| Not before | Thursday, 11 September 2003 11:25:37 | |
| Not after | Friday, 12 September 2003 01:59:00 | |
| Subject | ||
| Common name | CN = Jane Doe | |
| E = Jane.Doe@bsi.bund.de | ||
| Organisational unit name | OU = BSI | |
| Organisational name | O = Bund | |
| Country name | C = DE | |
| Extensions | ||
| Certificate policies | Non-critical | 1.3.6.1.4.1.7924.1.1 |
| CRLDistributionPoint | Non-critical | URL=ldap://x500.bund.de/cn=CA IVBB Deutsche Telekom AG 03,ou=Bund,o=PKI-1-Verwaltung,c=de?certificateRevocationList |
| Authority Key Identifier | Non-critical | CN=PCA-1-Verwaltung-02, O=PKI-1-Verwaltung, C=de, Certificate serial number: 3E45 D1C3 |
| Basic Constraints | Critical | None |
| Key Usage | Critical | NonRepudiation, DigitalSignature, KeyEncipherment |
| Certificate fingerprint | SHA1 | 2C2A 83D3 BEE9 790D A1B0 FF28 F134 B5B4 6364 9DFF |
| SubjectAltName | RFC822-Name = Jane.Doe@bsi.bund.de | |
