Certificate Profiles

This section specifies the X.509 version 3 certificate and version 2 certificate revocation list (CRL) profiles for the Federal Public Trust Device PKI Certificate Policy. In cases where the profiles and Section 7 of the Certificate Policy are in conflict, Section 7 takes precedence and is authoritative.

Four certificate profiles covered by this Certificate Policy are defined.

In addition, there are two profiles covering the OCSP Responses and the Certificate Revocation Lists.

Self-Signed Root CA Certificate Profile

Field     Value
Version     v3 (2)
Serial Number     Must be a unique positive integer with a minimum of 64 bits (minimum of 8 octets), not to exceed 20 octets
Issuer Signature Algorithm     sha256 WithRSAEncryption {1 2 840 113549 1 1 11}
Issuer Distinguished Name     Unique X.500 Issuing CA DN as specified in Section 7.1.4 of this CP

Example:
cn=US Federal Government Device Root CAx, o=U.S. Government, c=US
Where x is required, starts at 1, and will be incremented if / when this CA performs a rekey.
Distinguished Name shall conform to PrintableString string type in ASN.1 notation.
Validity Period     Encoded as UTCTime for dates through 2049 and GeneralizedTime for dates thereafter
No longer than 20 years from date of issue
Subject Distinguished Name     Matches the Issuer DN
Subject Public Key Information     4096 bit modulus, rsaEncryption {1 2 840 113549 1 1 1}
Issuer Signature     sha256 WithRSAEncryption {1 2 840 113549 1 1 11}
       
Extension Required Critical Value
subjectInfoAccess Mandatory False id-ad-caRepository (1.3.6.1.5.5.7.48.5)
At least one instance of this access method that includes the URI name form to specify the location of an HTTP accessible location where CA certificates issued by the subject of this certificate may be found. The certificate artifact(s) served by the HTTP accessible location shall be in a BER or DER encoded “certs-only” CMS message as specified in [RFC2797]. This extension is required to assist in monitoring and discovery of, and promote transparency for, the Subordinate/Issuing CAs signed by the Root.
basicConstraints Mandatory True cA=True
Pathlen is not present
Subject Key Identifier Mandatory False Octet String
Derived using SHA-1 hash of the public key
Key Usage Mandatory True keyCertSign, crlSign
Extended Key Usage     Not present
Certificate Policies     Not present
Subject Alternative Name     Not present
Authority Information Access     Not present
CRL Distribution Points     Not present

Intermediate or Subordinate CA Certificate Profile

Field     Value
Version     V3 (2)
Serial Number     Must be a unique positive integer with a minimum of 64 bits (minimum of 8 octets), not to exceed 20 octets
Issuer Signature Algorithm     sha256 WithRSAEncryption {1 2 840 113549 1 1 11}
Issuer Distinguished Name     Unique X.500 issuing CA DN as specified in Section 7.1.4 of this CP
Validity Period     Encoded as UTCTime for dates through 2049 and GeneralizedTime for dates thereafter
No longer than 10 years from date of issue
Subject Distinguished Name     Unique X.500 CA DN as specified in Section 7.1.4 of this CP.
X.500 Distinguished Name of the owner of the subject public key in the certificate. Distinguished Name shall conform to PrintableString string type in ASN.1 notation.
CN value shall not include designations such as “root” or “Root” or other similar designations. DN shall include o=U.S. Government, c=US

Example:
cn=US Federal Device Issuing CA1, o=U.S. Government, c=US

Subject name should be encoded exactly as it is encoded in the issuer field of certificates issued by the subject.
Subject Public Key Information     At least 2048 bit modulus, rsaEncryption {1 2 840 113549 1 1 1}
Issuer Signature     sha256 WithRSAEncryption {1 2 840 113549 1 1 11}
       
Extension Required Critical Value
Authority Key Identifier Mandatory False Octet String
Derived using the SHA-1 hash of the Issuer’s public key in accordance with RFC 5280. Must match SKI of issuing CA Certificate
subjectInfoAccess Conditional False Conditional:
1) Not present if the subject CA only issues subscriber certificates
2) Mandatory if the subject CA issues subordinate CA certificates

id-ad-caRepository (1.3.6.1.5.5.7.48.5):
At least one instance of this access method that includes the URI name form to specify the location of an HTTP accessible location where CA certificates issued by the subject of this certificate may be found. The certificate artifact(s) served by the HTTP accessible location shall be in a BER or DER encoded “certs-only” CMS message as specified in [RFC2797]. This extension is required to assist in monitoring and discovery of, and promote transparency for, the Subordinate/Issuing CAs.
basicConstraints Mandatory True cA=True
Pathlen is not present
Subject Key Identifier Mandatory False Octet String
Derived using SHA-1 hash of the public key
Key Usage Mandatory True Required Key Usage:
keyCertSign and crlSign

Optional Key Usage:
digitalSignature and / or non-repudiation if the CA uses its key to sign OCSP responses
Extended Key Usage Mandatory False This extension is required for Technically constrained nameConstraints per Section 7.1.2.2 and Section 7.1.5
Required Extended Key Usage:
Server Authentication id-kp-serverAuth {1.3.6.1.5.5.7.3.1}

Optional Extended Key Usage:
Client Authentication id-kp-clientAuth {1.3.6.1.5.5.7.3.2}

Additional EKUs shall be included for any subscriber certificates issued with those EKUs, and which are consistent with Server authentication.
Certificate Policies Mandatory False List of one or more policy OIDs defined or listed in Section 1.2
Subject Alternative Name Optional False  
Authority Information Access Mandatory False Required AIA Fields
OCSP:
Publicly accessible URI of Issuing CA’s OCSP responder accessMethod = {1.3.6.1.5.5.7.48.1}

id-ad-caIssuers:
Publicly accessible URI of Issuing CA’s certificate accessMethod = {1.3.6.1.5.5.7.48.2}
At least one instance of this access method that includes the URI name form to specify the certificate artifacts. The certificate artifact(s) served by the HTTP accessible location shall be in a BER or DER encoded “certs-only” CMS message as specified in [RFC2797]. This extension is required to assist in monitoring and discovery
CRL Distribution Points Mandatory False At least one HTTP URI to the location of a publicly accessible CRL. The reasons and cRLIssuer fields must be omitted.
nameConstraints Mandatory True dnsNames only shall be allowed in end entity certificates. IPAddress, Email, Directory or other shall not be included.
See Section 7.1.5

For IPAddress:
The Subordinate CA Certificate shall specify the entire IPv4 and IPv6 address ranges in excludedSubtrees. The Subordinate CA Certificate shall include within excludedSubtrees an iPAddress GeneralName of 8 zero octets (covering the IPv4 address range of 0.0.0.0/0). The Subordinate CA Certificate shall also include within excludedSubtrees an iPAddress GeneralName of 32 zero octets (covering the IPv6 address range of ::0/0).

For dnsNames:
Permitted dnsNames shall be included and shall include at least one dNSName in permittedSubtrees. Any additional combination of permitted and excluded subtrees may appear.
If permitted and excluded subtrees overlap, the excluded take precedence.
dnsNames shall only include values resolveable on the public Internet
IssuerAltName   False Not present
Subject Directory Attributes   False Not present
Private Extensions Optional False Only extensions that have context for use on the public Internet may be allowed. Private extensions must not cause interoperability issues. CA must be aware of and defend reason for including in the certificate, and use of Private Extensions shall be approved by the Policy Authority.
Private Key Usage Period Optional False  
policyConstraints Optional False  
inhibitAnyPolicy Optional False  

Server Authentication Certificate Profile

This profile for server authentication certificates for public trust TLS contains two (2) options for devices:

There are two (2) differences in the certificate profile implementations between Domain Validation and Organization Validation. The differences are in the Subject Identity Information and the Certificate Policies.

Field or Extension Domain Validation Organization Validation
Subject Identity Information cn=<one domain name> cn=<one domain name>,S=District of Columbia,O=U.S.Government,c=US
Certificate Policies Asserts both the CA/B Forum and the US Government policy oid for Domain Validation Asserts both the CA/B Forum and the US Government policy oid for Organization Validation

Below is the full server authentication certificate profile with all fields and extensions.

Field     Value
Version     V3 (2)
Serial Number     Must be a unique positive integer with a minimum of 64 bits (minimum of 8 octets), not to exceed 20 octets
Issuer Signature Algorithm     sha256 WithRSAEncryption {1 2 840 113549 1 1 11}
Issuer Distinguished Name     Unique X.500 Issuing CA DN as specified in Section 7.1.4 of this CP
Validity Period     Encoded as UTCTime for dates through 2049 and GeneralizedTime for dates thereafter
No longer than 825 days from from date of issue
Subject Distinguished Name     Unique X.500 CA DN as specified in Section 7.1.4 of this CP

Geo-political SDNs:
CN (required) MUST contain Fully-Qualified Domain Name that is one of the values contained in the Certificate’s subjectAltName extension

Organization Name, and State or Province (optional): If present, shall contain both Organization Name, and State or Province. organizationName shall be U.S. Government, and StateorProvince shall be District of Columbia.

Country (required) and shall be c=US
Subject Public Key Information     Public key algorithm associated with the public key.
May be either RSA or elliptic curve.
rsaEncryption {1 2 840 113549 1 1 1}
Elliptic curve key {1.2.840.10045.2.1}

Parameters:
For RSA, parameters field is populated with NULL.
For ECC Implicitly specify parameters through an OID associated with a NIST approved curve referenced in 800-78-1:
Curve P-256 {1.2.840.10045.3.1.7}
Curve P-384 {1.3.132.0.34}
Curve P-521 {1.3.132.0.35}

For RSA public keys, modulus must be 2048, 3072, or 4096 bits, an odd integer, not the power of a prime, with no factors < 752. Public exponent e shall be an odd positive integer such that 2^16+1 < e < 2^256-1. (Source: Appendix A, CA/Browser Forum, Baseline Requirements with NIST FIPS 186-4 clause to be shall over should.)
For ECC, public key must be at least 224 bits.
Issuer Signature     sha256 WithRSAEncryption {1 2 840 113549 1 1 11}
       
Extension Required Critical Value
Authority Key Identifier Mandatory False Octet String
Derived using the SHA-1 hash of the Issuer’s public key in accordance with RFC 5280. Must match SKI of issuing CA Certificate
basicConstraints Mandatory True cA=False (Reference Section 7.1.2.3 sub-part d)
Subject Key Identifier Mandatory False Octet String
Derived using SHA-1 hash of the public key in accordance with RFC 5280
Key Usage Mandatory True Required Key Usage:
digitalSignature

Optional Key Usage:
keyEncipherment for RSA Keys
keyAgreement for Elliptic Curve

Prohibited Key Usage:
keyCertSign and cRLSign
Extended Key Usage Mandatory False Required Extended Key Usage:
Server Authentication id-kp-serverAuth {1.3.6.1.5.5.7.3.1}

Optional Extended Key Usage:
Client Authentication id-kp-clientAuth {1.3.6.1.5.5.7.3.2}
Additional EKUs may be included that are consistent with Server authentication

Prohibited Extended Key Usage:
anyEKU EKU {2.5.29.37.0}
all others
Certificate Policies Mandatory False Required Certificate Policy Fields:
At least one certificate policy OID defined or listed in Section 1.2 of the CP

Optional Certificate Policy Fields:
certificatePolicies:policyQualifiers
policyQualifierId id-qt 1
qualifier:cPSuri
Subject Alternative Name Mandatory False Each entry MUST be dNSName containing the Fully-Qualified Domain Name Reference.
(Reference Section 7.1.4.2.1)
All entries must be validated in accordance with Section 3.2.2.4.
Authority Information Access Mandatory False Required AIA Fields:
OCSP
Publicly accessible URI of Issuing CA’s OCSP responder accessMethod = {1.3.6.1.5.5.7.48.1}

Id-ad-caIssuers
Publicly accessible URI of Issuing CA’s certificate accessMethod = {1.3.6.1.5.5.7.48.2}
At least one instance of this access method shall include the URI name form to specify the certificate artifacts. The certificate artifact(s) served by this HTTP accessible location shall be in a BER or DER encoded “certs-only” CMS message as specified in [RFC2797]. This extension is required to assist in monitoring and discovery and path building.
LDAP access methods shall not be included.
CRL Distribution Points Mandatory False At least one HTTP URI to the location of a publicly accessible CRL. The reasons and cRLIssuer fields must be omitted.
nameConstraints   False Not present
IssuerAltName   False Not present
Subject Directory Attributes   False Not present
Private Extensions Optional False Only extensions that have context for use on the public Internet may be allowed. Private extensions must not cause interoperability issues. CA must be aware of and defend reason for including in the certificate, and use of Private Extensions shall be approved by the Policy Authority.
Private Key Usage Period Optional False  
Transparency Information Mandatory False Must include two or more SCTs or inclusion proofs.
From RFC 6962-bis (1.3.101.75) contains one or more.
“TransItem” structures in a “TransItemList”

Delegated OCSP Responder Certificate Profile

Field     Value
Version     V3 (2)
Serial Number     Must be a unique positive integer with a minimum of 64 bits (minimum of 8 octets), not to exceed 20 octets
Issuer Signature Algorithm     sha256 WithRSAEncryption {1 2 840 113549 1 1 11}
Issuer Distinguished Name     Distinguished Name of the Issuing CA for the OCSP responder certificate
Validity Period     Encoded as UTCTime for dates through 2049 and GeneralizedTime for dates thereafter
No longer than 45 days from date of issue.
Goal of certificates is issued every 30 days with a 15 day grace period. Renewed certificates 30 days longer than previous certificate.
Rekey <= every 3 years.
Subject Distinguished Name     Unique X.500 CA DN as specified in Section 7.1.4 of this CP. CN must include indicator as OCSP Responder

Organization Name (required) and shall contain U.S. Government (o=U.S. Government)

Country (required) and shall be c=US

(each X.500 DN each RDN is a printableString where possible and contains a single attribute type and attribute value tuple.)
Subject Public Key Information     rsaEncryption {1 2 840 113549 1 1 1}
For RSA, parameters field is populated with NULL.
Modulus must be 2048, 3072, or 4096 bits, an odd integer, not the power of a prime, with no factors < 752. Public exponent e shall be an odd positive integer such that 2^16+1 < e < 2^256-1. (Source: Appendix A, CA/Browser Forum, Baseline Requirements with NIST FIPS 186-4 clause to be shall over should.)
Issuer Signature     sha256 WithRSAEncryption {1 2 840 113549 1 1 11}
       
Extension Required Critical Value
Authority Key Identifier Mandatory False Octet String
Derived using the SHA-1 hash of the Issuer’s public key in accordance with RFC 5280. Must match SKI of issuing CA Certificate
basicConstraints   False Not Present
Subject Key Identifier Mandatory False Octet String
20 byte SHA-1 hash of the binary DER encoding of the OCSP responder public key in accordance with RFC 5280
Key Usage Mandatory True Required Key Usage:
digitalSignature

Prohibited Key Usage:
All others
id-pkix-ocsp-nocheck {1.3.6.1.5.5.7.48.1.5} Mandatory False Null
Extended Key Usage Mandatory True Required Extended Key Usage:
id-kp-OCSPSigning {1.3.6.1.5.5.7.3.9}

Prohibited Extended Key Usage:
All others, including anyEKU EKU {2.5.29.37.0}
Certificate Policies Mandatory False Required Certificate Policy Fields:
At least one certificate policy OID defined or listed in Section 1.2 of the CP. Must include all the certificate policy OIDs for all certificates issued by the Issuing CA and covered by the OCSP responses.

Optional Certificate Policy Fields:
certificatePolicies:policyQualifiers
policyQualifierId id-qt 1
qualifier:cPSuri
Subject Alternative Name Optional False If present, each entry shall be dNSName containing the Fully-Qualified Domain Name Reference for the OCSP responder(s).
Authority Information Access Mandatory False Required AIA Fields:

Id-ad-caIssuers
Publicly accessible URI of Issuing CA’s certificate accessMethod = {1.3.6.1.5.5.7.48.2}
At least one instance of this access method shall include the URI name form to specify the certificate artifact(s). The certificate artifact(s) served by this HTTP accessible location shall be in a BER or DER encoded “certs-only” CMS message as specified in [RFC2797]. This extension is required to assist in monitoring and discovery and path building.
CRL Distribution Points   False Not present
IssuerAltName   False Not present
Subject Directory Attributes   False Not present
Private Extensions   False Not present
Private Key Usage Period Optional False  
nameConstraints   False Not present
Policy Mapping   False Not present
Policy Constraints   False Not present

OCSP Response Profile

OCSP Responders under this profile are expected operate using the Static Response model described in RFC 6960 and thus will not support nonce. See RFC 6960 for more information and detailed OCSP Response syntax.

Field Value
Response Status As specified in RFC 6960
Response Type id-pkix-ocsp-basic {1.3.6.1.5.5.7.48.1.1}
Version V1 (0x0)
Responder ID By Key   (Identical to subject key identifier in Responder Certificate)
Produced At The time at which the response was encoded and signed
Responses Sequence of one or more Single Response as further specified below
Signature Algorithm sha256 WithRSAEncryption {1 2 840 113549 1 1 11}
Certificates Most recent certificate issued to the OCSP Responder by the CA identified by the issuerNameHash and issuerKeyHash in the Single Responses included in the response
Extension Required Critical Value
Nonce Not Supported N/A Nonce is not supported

Single Response

Field Value
CertID hashAlgorithm SHALL be SHA1
The issuerKeyHash and issuerNameHash pair must be identical within all Single Responses appearing in an OCSP Response
Certificate Status Determined by CRL
If revoked, revocationReason is included if present on the CRL
This Update Identical to the thisUpdate of the CRL used for determining revocation status
Next Update Before or identical to the nextUpdate field of the CRL used for determining revocation status
Single Extensions Optional:
Transparency Information X.509v3 Extension {1 3 101 75}

CRL Profile

Field     Value
Version     V2 (1)
Issuer Signature Algorithm     sha256 WithRSAEncryption {1 2 840 113549 1 1 11}
Issuer Distinguished Name     Distinguished Name of the CA Issuer
thisUpdate     Encoded as UTCTime for dates through 2049 and GeneralizedTime for dates thereafter
See Section 4.9.7 for publishing intervals.
nextUpdate     Encoded as UTCTime for dates through 2049 and GeneralizedTime for dates thereafter
See Section 4.9.7 for validity period intervals.
Revoked Certificates List     0 or more 2-tuple of certificate serial number and revocation date (Expressed in UTCTime for dates until end of 2049 and GeneralizedTime for dates thereafter )
Issuer Signature     sha256 WithRSAEncryption {1 2 840 113549 1 1 11}
       
CRL Extension Required Critical Value
CRL Number Mandatory False Monotonically increasing integer (never repeated)
Authority Key Identifier Mandatory False Octet String: Derived using the SHA-1 hash of the Issuer’s public key in accordance with RFC 5280. Must match SKI of issuing CA Certificate
       
CRL Entry Extension Required Critical Value
Reason Code Mandatory False Must be included when reason code is equal to key compromise or CA compromise
Hold Instruction   False Not present
Issuing Distribution Point   False Not present