Internet X.509 Public Key Infrastructure Certificate and CRL Profile
RFC 2459
Document | Type |
RFC - Proposed Standard
(January 1999; Errata)
Obsoleted by RFC 3280
|
|
---|---|---|---|
Authors | Russ Housley , Tim Polk , Warwick Ford , Dave Solo | ||
Last updated | 2020-01-21 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 2459 (Proposed Standard) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | (None) | ||
Send notices to | (None) |
Network Working Group R. Housley Request for Comments: 2459 SPYRUS Category: Standards Track W. Ford VeriSign W. Polk NIST D. Solo Citicorp January 1999 Internet X.509 Public Key Infrastructure Certificate and CRL Profile Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (1999). All Rights Reserved. Abstract This memo profiles the X.509 v3 certificate and X.509 v2 CRL for use in the Internet. An overview of the approach and model are provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms (e.g., IP addresses). Standard certificate extensions are described and one new Internet-specific extension is defined. A required set of certificate extensions is specified. The X.509 v2 CRL format is described and a required extension set is defined as well. An algorithm for X.509 certificate path validation is described. Supplemental information is provided describing the format of public keys and digital signatures in X.509 certificates for common Internet public key encryption algorithms (i.e., RSA, DSA, and Diffie-Hellman). ASN.1 modules and examples are provided in the appendices. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. Housley, et. al. Standards Track [Page 1] RFC 2459 Internet X.509 Public Key Infrastructure January 1999 Please send comments on this document to the ietf-pkix@imc.org mail list. TTTTaaaabbbblllleeee ooooffff CCCCoooonnnntttteeeennnnttttssss 1 Introduction ................................................ 5 2 Requirements and Assumptions ................................ 6 2.1 Communication and Topology ................................ 6 2.2 Acceptability Criteria .................................... 7 2.3 User Expectations ......................................... 7 2.4 Administrator Expectations ................................ 7 3 Overview of Approach ........................................ 7 3.1 X.509 Version 3 Certificate ............................... 9 3.2 Certification Paths and Trust ............................. 10 3.3 Revocation ................................................ 12 3.4 Operational Protocols ..................................... 13 3.5 Management Protocols ...................................... 13 4 Certificate and Certificate Extensions Profile .............. 15 4.1 Basic Certificate Fields .................................. 15 4.1.1 Certificate Fields ...................................... 16 4.1.1.1 tbsCertificate ........................................ 16 4.1.1.2 signatureAlgorithm .................................... 16 4.1.1.3 signatureValue ........................................ 17 4.1.2 TBSCertificate .......................................... 17 4.1.2.1 Version ............................................... 17 4.1.2.2 Serial number ......................................... 18 4.1.2.3 Signature ............................................. 18 4.1.2.4 Issuer ................................................ 18 4.1.2.5 Validity .............................................. 21 4.1.2.5.1 UTCTime ............................................. 22 4.1.2.5.2 GeneralizedTime ..................................... 22 4.1.2.6 Subject ............................................... 22 4.1.2.7 Subject Public Key Info ............................... 23 4.1.2.8 Unique Identifiers .................................... 24 4.1.2.9 Extensions ............................................. 24 4.2 Certificate Extensions .................................... 24Show full document text