InCommon Server Certificate Profile
The InCommon server cert profile is listed here for convenience. The authoritative profile is listed in the InCommon Certificate Authority Certification Practices Statement [PDF].
3.1 InCommon Certification Authority Server Certificate Profile |
|||||
InCommon Server Cert Profile v20071116 |
|||||
Field Name |
Value |
Example |
Specified |
Explanation |
|
Version |
0x2 |
0x2 |
Yes |
A version 3 certificate is specified |
|
Serial Number |
a unique integer |
334 |
Yes |
An integer that is unique to all certificates issued by the InCommon CA. |
|
Signature Algorithm |
SHA1/RSA |
|
Yes |
|
|
Issuer |
DN |
cn=InCommon Certification Authority, o=InCommon Federation, c=US |
Yes |
|
|
Validity |
Time |
Not valid before: date |
Yes |
A two year validity period is used by default. A shorter period may be selected in special cases. |
|
Subject |
DN |
cn=shib.school. |
Yes |
The CN= is the full domain name of the InCommon Shibboleth server at the organization. |
|
Public Key |
|
1024 |
No |
At least a 1024 bit key will be used. |
|
Certificate Extensions |
|||||
Key Usage |
Digital Signatures and Key Encipherment |
Digital signatures and Key encipherment authentication will be asserted |
Yes |
The extension will be marked critical. |
|
Basic Constraints |
CA=false |
CA=false |
Yes |
This extension will be marked critical. |
|
CRL Distribution Points |
URI |
http://incommoncrl1.incommonfederation.org/crl/eecrls.crl http://incommoncrl2. incommonfederation.org /crl/eecrls.crl |
Yes |
NonCritical; The InCommon CA will issue CRLs and make them available via http. |
|
Certification Policy |
InCommon Policy OID |
1.3.6.1.4.1.5923.1.4.1.1 |
Yes |
|
|
CPS Pointer |
URI |
http://incommonca.incommonfederation.org/practices.pdf |
Yes |
This certificate practices document will be available on-line in PDF form. PDF was selected to make accidental modification less likely. |
|
Authority Information Access |
URI id-ad-caIssuers |
http://incommonca1.incommonfederation.org/bridge/certs/ca-certs.p7b http://incommonca2.incommonfederation.org/bridge/certs/ca-certs.p7b |
Yes |
Two AIA URLs located at different points on the Internet will be specified. The HTTP URL in the AIA field will be a pointer to a PKCS-7 object. When the link is accessed, the web server returns the PKCS-7 file using the MIME type application/x-x509-ca-cert. |
|
Extended Key Usage |
Server Authentication |
TLS Web Server Authentication and TLS Web Client Authentication will be asserted |
Yes |
This extension will be marked non-critical |
|
SubjectAlt Name |
DNSName |
shib.school.edu |
Yes |
The value for this field is the hostname of the server and must be the same as the CN in the Subject Name. |
|
Subject Key Identifier |
KeyID |
See RFC-3280 for details |
Yes |
|
|
Authority Key Identifier |
KeyID |
See RFC-3280 for details |
Yes |
|
|
Notes: |
|||||