Skip Headers
Oracle® Application Server Certificate Authority Administrator's Guide
10g (10.1.4.0.1)

Part Number B15989-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

D Extensions

Oracle Application Server Certificate Authority is compliant with the X.509 V3 and IETF's PKIX standards, and supports standard extensions as described in this Appendix.

D.1 Certificate Usage

OracleAS Certificate Authority enables users to select the function of a requested certificate to fit their intended applications and their enterprise policies. The default as shipped is "Authentication, Encryption, and Signing," but the administrator can configure a different choice, which then becomes the preselected default for that site. Table D-1 shows the possible choices:

Table D-1 Types of Certificate Usage

Function Description

Authentication

Enables secure identification when requesting or providing access or services, such as when logging into an enterprise portal. (Typically, SSL protocol is used.)

Encryption

Enables encrypting and decrypting electronic documents

Signing

Enables verifiable signature for (and assures non-tampering of) electronic documents, including email (using S/MIME, the Secure Multipurpose Internet Mail Extension)

Authentication, Encryption

Certificate can be used for both purposes.

Authentication, Signing

Certificate can be used for both purposes.

Authentication, Encryption, and Signing

Certificate can be used for all three purposes.

Encryption, Signing

Certificate can be used for both purposes.

CA Signing

Used to sign users' certificates or Certificate Revocation List (CRL).

Code Signing

Provides verifiable signature for the provider of (and assures non-tampering of) Java code, JavaScript, and other signed files.


D.1.1 Policy Application to Certificates

Certain policies apply to certificates intended for particular uses, as described in Table D-2.

Table D-2 Policies Applied for Particular Certificate Usages

Certificate Usage Basic Constraints (Critical) Key Usage (Non Critical) Extended Key Usage (Non Critical) Subject Alternate Name (Non Critical)

CA certificate

CA flag set to true

PathLength: + root CA (generated during installation), value hardcoded to 3

root CA (generated using OCACTL), value can be chosen.

Signing Certificates (Keys)

Signing CRLs



Client Authentication


Digital Signature

clientAuth

rfc822Name=email AND/OR otherName=UID

Server Authentication


Digital Signature

Key Encipherment

serverAuth

rfc822Name=email AND/OR otherName=UID

Signing


Digital Signature

Non-Repudiation

emailProtection

rfc822Name=email AND/OR otherName=UID

Encryption


Data Encipherment

Key Encipherment

emailProtection


Code Signing


Digital Signature

codeSigning

rfc822Name=email AND/OR otherName=UID