Skip Headers
Oracle® Application Server Certificate Authority Administrator's Guide
10g Release 2 (10.1.2)
B14080-02
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

D Extensions

Oracle Application Server Certificate Authority is compliant with the X.509 V3 and IETF's PKIX standards, and supports standard extensions as described in this Appendix.

D.1 Certificate Usage

OracleAS Certificate Authority enables users to select the function of a requested certificate to fit their intended applications and their enterprise policies. The default as shipped is "Authentication, Encryption, and Signing," but the administrator can configure a different choice, which then becomes the preselected default for that site. Table D-1 shows the possible choices:

Table D-1 Types of Certificate Usage

Function Description

Authentication

Enables secure identification when requesting or providing access or services, such as when logging into an enterprise portal. (Typically, SSL protocol is used.)

Encryption

Enables encrypting and decrypting electronic documents

Signing

Enables verifiable signature for (and assures non-tampering of) electronic documents, including email (using S/MIME, the Secure Multipurpose Internet Mail Extension)

Authentication, Encryption

Certificate can be used for both purposes.

Authentication, Signing

Certificate can be used for both purposes.

Authentication, Encryption, and Signing

Certificate can be used for all three purposes.

Encryption, Signing

Certificate can be used for both purposes.

CA Signing

Used to sign users' certificates or Certificate Revocation List (CRL).

Code Signing

Provides verifiable signature for the provider of (and assures non-tampering of) Java code, JavaScript, and other signed files.


D.1.1 Policy Application to Certificates

Certain policies apply to certificates intended for particular uses, as described in Table D-2.

Table D-2 Policies Applied for Particular Certificate Usages

Certificate Usage Basic Constraints (Critical) Key Usage (Non Critical) Extended Key Usage (Non Critical) Subject Alternate Name (Non Critical)

CA certificate

CA flag set to true

PathLength: + root CA (generated during installation), value hardcoded to 3

root CA (generated using OCACTL), value can be chosen.

Signing Certificates (Keys)

Signing CRLs



Client Authentication


Digital Signature

clientAuth

rfc822Name=email AND/OR otherName=UID

Server Authentication


Digital Signature

Key Encipherment

serverAuth

rfc822Name=email AND/OR otherName=UID

Signing


Digital Signature

Non-Repudiation

emailProtection

rfc822Name=email AND/OR otherName=UID

Encryption


Data Encipherment

Key Encipherment

emailProtection


Code Signing


Digital Signature

codeSigning

rfc822Name=email AND/OR otherName=UID