Certificate Profiles

The certificate profiles are included as Appendix D in the Certificate Policy. This page directly references Appendix D content.

This section specifies the X.509 version 3 certificate profiles, version 2 Certificate Revocation List (CRL) profile, and Online Certificate Status Protocol (OCSP) Response profile for the U.S. Federal Public Trust TLS PKI Certificate Policy. In cases where the profiles and Section 7 of this CP are in conflict, Section 7 takes precedence and is authoritative.

Certificates issued under this policy are categorized as CA Certificates or Subscriber Certificates. This Certificate Policy defines five (5) different types of certificates (See Section 1.1.3) and four associated certificate profiles.

Category Certificate Type Profile
CA Certificate Root CA Certificate Self-Signed Root CA Certificate Profile
CA Certificate Subordinate CA Certificate Subordinate CA Certificate Profile
Subscriber Certificate Domain Validation TLS Server Authentication Certificates Server Authentication Certificate Profile
Subscriber Certificate Organization Validation TLS Server Authentication Certificates Server Authentication Certificate Profile
Subscriber Certificate Delegated OCSP Responder Certificates Delegated OCSP Responder Certificate Profile

There are two profiles covering the Certificate Revocation Lists and OCSP Responses.

Type Profile
Certificate Revocation Lists CRL Profile
Online Certificate Status Protocol (OCSP) Responses OCSP Response Profile

Self-Signed Root CA Certificate Profile

Field Value and Requirements
Serial Number Serial number shall be a unique positive integer with a minimum of 64 bits (minimum of 8 octets), not to exceed 20 octets.
Issuer Signature Algorithm sha256 WithRSAEncryption {1 2 840 113549 1 1 11}
Issuer Distinguished Name Root CA Certificate Issuer Distinguished Name (DN) shall be a unique X.500 DN as specified in Section 7.1.4 of this CP. Distinguished Name shall conform to PrintableString string type in ASN.1 notation.

The Root CA Certificate DN shall be:
cn=US Federal TLS Root CAx, o=U.S. Government, c=US
where “x” is not used for the first Root CA certificate name and is a numeric value that starts at 2 and increments by 1 for any future Root CA certificate Common Names(cn). All non-production Root CA DNs shall include “Test” in the Common Name (cn). A non-production DN example is:
cn=US Federal Test TLS Root CA, o=U.S. Government, c=US

Validity Period Validity Period dates shall be encoded as UTCTime for dates through 2049 and GeneralizedTime for dates thereafter
Validity Period shall be no longer than 20 years from date of issue.
Subject Distinguished Name Subject Distinguished Name (DN) shall match the Issuer DN.
Subject Public Key Information 4096 bit modulus, rsaEncryption {1 2 840 113549 1 1 1}
Issuer Signature sha256 WithRSAEncryption {1 2 840 113549 1 1 11}
Extension Required Critical Value and Requirements
subjectInfoAccess Mandatory False id-ad-caRepository (1.3.6.1.5.5.7.48.5):
At least one instance of this access method shall be included. All instances of this access method shall include the HTTP URI name form to specify an HTTP accessible location containing a BER or DER encoded “certs-only” CMS message as specified in [RFC5272].
basicConstraints Mandatory True cA=True
The pathLenConstraint field shall not be present.
subjectKeyIdentifier Mandatory False Octet String
Derived using SHA-1 hash of the public key
keyUsage Mandatory True Bit positions for keyCertSign and cRLSign shall be set.
If the Root CA Private Key is used for signing OCSP responses, then the digitalSignature bit shall also be set.

Subordinate CA Certificate Profile

Field Value
Serial Number Serial number shall be a unique positive integer with a minimum of 64 bits (minimum of 8 octets), not to exceed 20 octets.
Serial numbers shall be non-sequential.
Issuer Signature Algorithm sha256 WithRSAEncryption {1 2 840 113549 1 1 11}
Issuer Distinguished Name Unique X.500 issuing CA DN as specified in Section 7.1.4 of this CP
Validity Period Validity Period dates shall be encoded as UTCTime for dates through 2049 and GeneralizedTime for dates thereafter
Validity Period shall be no longer than 10 years from date of issue.
Subject Distinguished Name Subordinate CA Certificate Subject Distiguished Name (DN) shall be a unique X.500 DN as specified in Section 7.1.4 of this CP. Distinguished Name shall conform to PrintableString string type in ASN.1 notation.

The Subordinate CA Certificate DN shall be of the following format:
cn=US Federal TLS CAx, o=U.S. Government, c=US
Where x starts at 1 and is incremented by 1 for each Subordinate CA signed by the Root CA.

All other attributes, for the CA Certificate Subject fields, shall not be included.

Non-production Subordinate CAs signed by non-production Root CA certificates shall include “Test” in the DN.
A non-production DN example is:
cn=US Federal Test TLS CA1, o=U.S. Government, c=US

Subject name shall be encoded exactly as it is encoded in the issuer field of certificates issued by the subject.
Subject Public Key Information At least 2048 bit modulus, rsaEncryption {1 2 840 113549 1 1 1}
Issuer Signature sha256 WithRSAEncryption {1 2 840 113549 1 1 11}
Extension Required Critical Value and Requirements
authorityKeyIdentifier Mandatory False Octet String
Derived using the SHA-1 hash of the Issuer’s public key in accordance with RFC 5280. Shall match SKI of issuing CA.
basicConstraints Mandatory True cA=True
The pathLenConstraint field shall be present and set to zero (0).
subjectKeyIdentifier Mandatory False Octet String
Derived using SHA-1 hash of the public key
keyUsage Mandatory True Bit positions for keyCertSign and cRLSign shall be set.
If the Subordinate CA Private Key is used for signing OCSP responses, then the digitalSignature bit shall also be set.
extkeyUsage Mandatory False This extension is required for Technically constrained nameConstraints per Section 7.1.2.2 and Section 7.1.5.
Required Extended Key Usage:
Server Authentication id-kp-serverAuth {1.3.6.1.5.5.7.3.1}

Optional Extended Key Usage:
Client Authentication id-kp-clientAuth {1.3.6.1.5.5.7.3.2}

Other values may be present consistent with use for server authentication, with approval by the FPKIPA.
certificatePolicies Mandatory False See Section 7.1.6.3. At least one US Government certificate policy OID listed in Section 7.1.6.1 asserting compliance with this CP, and one CAB Forum certificate policy OID listed in Section 7.1.6.1 asserting compliance with the CAB Forum Baseline Requirements. The certificate shall include all the certificate policy OIDs for all certificates issued by the CA.
subjectAltName Optional False  
authorityInformationAccess Mandatory False OCSP:
Publicly accessible URI of Issuing CA’s OCSP responder accessMethod = {1.3.6.1.5.5.7.48.1}
At least one instance of the OCSP responder access method shall be included. All instances of this access method shall include the HTTP URI name form.

id-ad-caIssuers:
Publicly accessible URI of Issuing CA’s certificate accessMethod = {1.3.6.1.5.5.7.48.2}
All instances of this access method shall include the HTTP URI name form to specify an HTTP accessible location containing either a single DER encoded certificate, or a BER or DER encoded “certs-only” CMS message as specified in [RFC5272].
cRLDistributionPoints Mandatory False At least one instance shall be included and shall specify a HTTP URI to the location of a publicly accessible CRL. All URIs included shall be publicly accessible and shall specify the HTTP protocol only. The reasons and cRLIssuer fields shall be omitted.
nameConstraints Mandatory True See Section 7.1.5.

Server Authentication Certificate Profile

This profile for Server Authentication Certificates contains two (2) certificate types:

There are two (2) differences in the certificate profile implementations between Domain Validation and Organization Validation. The differences are in the Subject Identity Information and the Certificate Policies.

Field or Extension Domain Validation Organization Validation
Subject Identity Information cn=<one domain name>[,c=US] cn=<one domain name>,S=District of Columbia,O=U.S.Government,c=US
Certificate Policies Asserts both the US Government and CAB Forum policy oid for Domain Validation Asserts both the the US Government and CAB Forum policy oid for Organization Validation

Below is the full server authentication certificate profile with all fields and extensions.

Field Value and Requirements
Serial Number Serial number shall be a unique positive integer with a minimum of 64 bits (minimum of 8 octets), not to exceed 20 octets.
Serial numbers shall be non-sequential.
Issuer Signature Algorithm sha256 WithRSAEncryption {1.2.840.113549.1.1.11}
Issuer Distinguished Name Unique X.500 Issuing CA DN as specified in Section 7.1.4 of this CP
Validity Period Validity Period dates shall be encoded as UTCTime for dates through 2049 and GeneralizedTime for dates thereafter
Validity Period shall be no longer than 395 days from date of issue.
Subject Distinguished Name Geo-political SDNs:
CN (required) shall contain a Fully-Qualified Domain Name that is one of the values contained in the Certificate’s subjectAltName extension

Organization Name, and State or Province (optional): If present, shall contain both Organization Name, and State or Province. organizationName shall be U.S. Government, and StateorProvince shall be District of Columbia.

Country (required) and shall be c=US
All other attributes, for the subject field, shall not be included.
Subject Public Key Information Public key algorithm associated with the public key.
May be either RSA or Elliptic curve.
rsaEncryption {1.2.840.113549.1.1.1}
Elliptic curve key {1.2.840.10045.2.1}

Parameters:
For RSA, parameters field is populated with NULL.
For ECC Implicitly specify parameters through an OID associated with a NIST approved curve referenced in 800-78-1:
Curve P-256 {1.2.840.10045.3.1.7}
Curve P-384 {1.3.132.0.34}
Curve P-521 {1.3.132.0.35}

For RSA public keys, modulus must be 2048, 3072, or 4096 bits. Public exponent e shall be an odd positive integer such that 2^16+1 < =e < 2^256-1.
Issuer Signature sha256 WithRSAEncryption {1.2.840.113549.1.1.11}
Extension Required Critical Value and Requirements
Authority Key Identifier Mandatory False Octet String
Derived using the SHA-1 hash of the Issuer’s public key in accordance with RFC 5280. Must match SKI of issuing CA Certificate
basicConstraints Mandatory True cA=False
Subject Key Identifier Mandatory False Octet String
Derived using SHA-1 hash of the public key in accordance with RFC 5280
Key Usage Mandatory True Required Key Usage:
digitalSignature

Optional Key Usage:
keyEncipherment for RSA Keys
keyAgreement for Elliptic Curve

Prohibited Key Usage:
keyCertSign and cRLSign
Extended Key Usage Mandatory False Required Extended Key Usage:
Server Authentication id-kp-serverAuth {1.3.6.1.5.5.7.3.1}

Optional Extended Key Usage:
Client Authentication id-kp-clientAuth {1.3.6.1.5.5.7.3.2}

Prohibited Extended Key Usage:
anyEKU EKU {2.5.29.37.0}
all others
Certificate Policies Mandatory False Required Certificate Policy Fields:
See Section 7.1.6.4. One US Government certificate policy OID listed in Section 7.1.6.1 asserting compliance with this CP, and one CAB Forum certificate policy OID listed in Section 7.1.6.1 asserting compliance with the CAB Forum Baseline Requirements.

Optional Certificate Policy Fields:
certificatePolicies:policyQualifiers
policyQualifierId id-qt 1
qualifier:cPSuri
Subject Alternative Name Mandatory False This extension shall contain at least one entry. Each entry shall be a dNSName containing the Fully-Qualified Domain Name of a server. This extension shall not include any Internal Name values.
All entries shall be validated in accordance with Section 3.2.2.4.
Authority Information Access Mandatory False Required AIA Fields:
OCSP
Publicly accessible URI of Issuing CA’s OCSP responder accessMethod = {1.3.6.1.5.5.7.48.1}

Id-ad-caIssuers
Publicly accessible URI of Issuing CA’s certificate accessMethod = {1.3.6.1.5.5.7.48.2}
All instances of this access method shall include the HTTP URI name form to specify an HTTP accessible location containing either a single DER encoded certificate, or a BER or DER encoded “certs-only” CMS message as specified in [RFC5272].
CRL Distribution Points Mandatory False At least one HTTP URI to the location of a publicly accessible, full and complete CRL. The reasons and cRLIssuer fields must be omitted.
Private Extensions Optional False Only extensions that have context for use on the public Internet are allowed. Private extensions must not cause interoperability issues. CA must be aware of and defend reason for including in the certificate, and use of Private Extensions shall be approved by the FPKI Policy Authority.
Transparency Information Mandatory False Must include two or more SCTs or inclusion proofs.
From RFC 6962, contains one or more “TransItem” structures in a “TransItemList”.

Delegated OCSP Responder Certificate Profile

Field Value and Requirements
Version V3 (2)
Serial Number Must be a unique positive integer with a minimum of 64 bits (minimum of 8 octets), not to exceed 20 octets
Issuer Signature Algorithm sha256 WithRSAEncryption {1 2 840 113549 1 1 11}
Issuer Distinguished Name Distinguished Name of the Issuing CA for the OCSP responder certificate
Validity Period Encoded as UTCTime for dates through 2049 and GeneralizedTime for dates thereafter
No longer than 45 days from date of issue.
Subject Distinguished Name Unique X.500 CA DN as specified in Section 7.1.4 of this CP. The commonName (CN) shall include an indicator of the certificate subject as an OCSP Responder.

Organization Name (required) and shall contain U.S. Government (o=U.S. Government)

Country (required) and shall be c=US

Each X.500 DN is a printableString where possible and contains a single attribute type and attribute value tuple.
Example: cn=OCSP Signing Certificate 1, o=U.S. Government, c=US
Subject Public Key Information rsaEncryption {1 2 840 113549 1 1 1}
For RSA, parameters field is populated with NULL.
For RSA public keys, modulus shall be 2048, 3072, or 4096 bits. Public exponent e shall be an odd positive integer such that 2^16+1 < =e < 2^256-1.
Issuer Signature sha256 WithRSAEncryption {1 2 840 113549 1 1 11}
Extension Required Critical Value and Requirements
Authority Key Identifier Mandatory False Octet String
Derived using the SHA-1 hash of the Issuer’s public key in accordance with RFC 5280. Must match SKI of issuing CA Certificate
Subject Key Identifier Mandatory False Octet String
20 byte SHA-1 hash of the binary DER encoding of the OCSP responder public key in accordance with RFC 5280
Key Usage Mandatory True Required Key Usage:
digitalSignature

Prohibited Key Usage:
All others
id-pkix-ocsp-nocheck {1.3.6.1.5.5.7.48.1.5} Mandatory False Null
Extended Key Usage Mandatory True Required Extended Key Usage:
id-kp-OCSPSigning {1.3.6.1.5.5.7.3.9}

Prohibited Extended Key Usage:
All others, including anyEKU EKU {2.5.29.37.0}
Certificate Policies Mandatory False Required Certificate Policy Fields:
See Section 7.1.6.4. The certificate shall include all the certificate policy OIDs for all certificates issued by the CA and covered by the OCSP responses.

Optional Certificate Policy Fields:
certificatePolicies:policyQualifiers
policyQualifierId id-qt 1
qualifier:cPSuri
Authority Information Access Optional False Required AIA Fields:

Id-ad-caIssuers
Publicly accessible URI of Issuing CA’s certificate accessMethod = {1.3.6.1.5.5.7.48.2}
All instances of this access method shall include the HTTP URI name form to specify an HTTP accessible location containing either a single DER encoded certificate, or a BER or DER encoded “certs-only” CMS message as specified in [RFC5272].

CRL Profile

Field Value and Requirements
Version V2 (1)
Issuer Signature Algorithm sha256 WithRSAEncryption {1 2 840 113549 1 1 11}
Issuer Distinguished Name Distinguished Name of the CA Issuer
thisUpdate Encoded as UTCTime for dates through 2049 and GeneralizedTime for dates thereafter
See Section 4.9.7 for publishing intervals.
nextUpdate Encoded as UTCTime for dates through 2049 and GeneralizedTime for dates thereafter
See Section 4.9.7 for validity period intervals.
Revoked Certificates List 0 or more 2-tuple of certificate serial number and revocation date (Expressed in UTCTime for dates until end of 2049 and GeneralizedTime for dates thereafter )
Issuer Signature sha256 WithRSAEncryption {1 2 840 113549 1 1 11}
CRL Extension Required Critical Value
CRL Number Mandatory False Monotonically increasing integer (never repeated)
Authority Key Identifier Mandatory False Octet String: Derived using the SHA-1 hash of the Issuer’s public key in accordance with RFC 5280. Shall match SKI of issuing CA Certificate
CRL Entry Extension Required Critical Value
Reason Code Optional False Shall be included when reason code is equal to key compromise or CA compromise
Invalidity Date Optional False  

OCSP Response Profile

OCSP Responders under this profile are expected to operate using the Static Response model described in RFC 6960 and thus will not support nonce.

Field Value and Requirements
Response Status As specified in RFC 6960
Response Type id-pkix-ocsp-basic {1.3.6.1.5.5.7.48.1.1}
Version V1 (0x0)
Responder ID By Key
Identical to subject key identifier in Responder Certificate
Produced At The time at which the response was encoded and signed
Responses Sequence of one or more Single Response as specified below
Signature Algorithm sha256 WithRSAEncryption {1 2 840 113549 1 1 11}
Certificates Most recent certificate issued to the OCSP Responder by the CA identified by the issuerNameHash and issuerKeyHash in the Single Responses included in the response
Extension Required Critical Value and Requirements
Nonce Not Supported N/A Nonce is not supported

Single Response

Field Value and Requirements
CertID hashAlgorithm SHALL be SHA1
The issuerKeyHash and issuerNameHash pair must be identical within all Single Responses appearing in an OCSP Response
Certificate Status Determined by CRL
If revoked, revocationReason is included if present on the CRL
This Update Identical to the thisUpdate of the CRL used for determining revocation status
Next Update Before or identical to the nextUpdate field of the CRL used for determining revocation status
Single Extensions Optional:
Transparency Information X.509v3 Extension {1 3 101 75}