x509 extensions in other CAs¶
This page documents the x509 extensions (e.g. for CRLs, etc.) set by other CAs. The information here is used by django-ca to initialize and sign certificate authorities and certificates.
Helpful descriptions of the meaning of various extensions can also be found in x509v3_config(5SSL) (online).
Subject¶
In CA certificates¶
CA |
Subject |
---|---|
Comodo |
|
Comodo DV |
|
Comodo EV |
|
DST X3 |
|
DigiCert EV Root |
|
DigiCert Global Root |
|
DigiCert HA Intermediate |
|
DigiCert Secure Server |
|
GeoTrust |
|
GlobalSign |
|
GlobalSign DV |
|
GlobalSign R2 |
|
Go Daddy G2 |
|
Go Daddy G2 Intermediate |
|
Google G3 |
|
IdenTrust |
|
Let’s Encrypt X1 |
|
Let’s Encrypt X3 |
|
RapidSSL G3 |
|
StartSSL |
|
StartSSL class 2 |
|
StartSSL class 2 |
|
TrustID Server A52 |
|
In signed certificates¶
Certificate |
Subject |
---|---|
Comodo DV |
|
Comodo EV |
|
DigiCert HA Intermediate |
|
DigiCert Secure Server |
|
GlobalSign DV |
|
Go Daddy G2 Intermediate |
|
Google G3 |
|
Let’s Encrypt X1 |
|
Let’s Encrypt X3 |
|
RapidSSL G3 |
|
StartSSL class 2 |
|
StartSSL class 3 |
|
TrustID Server A52 |
|
Issuer¶
The issuer is an X509 Name naming who signed the certificate. For root CAs, the issuer has the same value as the subject.
In CA certificates¶
CA |
Issuer |
---|---|
Comodo |
|
Comodo DV |
|
Comodo EV |
|
DST X3 |
|
DigiCert EV Root |
|
DigiCert Global Root |
|
DigiCert HA Intermediate |
|
DigiCert Secure Server |
|
GeoTrust |
|
GlobalSign |
|
GlobalSign DV |
|
GlobalSign R2 |
|
Go Daddy G2 |
|
Go Daddy G2 Intermediate |
|
Google G3 |
|
IdenTrust |
|
Let’s Encrypt X1 |
|
Let’s Encrypt X3 |
|
RapidSSL G3 |
|
StartSSL |
|
StartSSL class 2 |
|
StartSSL class 2 |
|
TrustID Server A52 |
|
In signed certificates¶
Certificate |
Issuer |
---|---|
Comodo DV |
|
Comodo EV |
|
DigiCert HA Intermediate |
|
DigiCert Secure Server |
|
GlobalSign DV |
|
Go Daddy G2 Intermediate |
|
Google G3 |
|
Let’s Encrypt X1 |
|
Let’s Encrypt X3 |
|
RapidSSL G3 |
|
StartSSL class 2 |
|
StartSSL class 3 |
|
TrustID Server A52 |
|
AuthorityInfoAccess¶
The “CA Issuers” is a URI pointing to the signing certificate. The certificate is in DER/ASN1 format
and has a Content-Type: application/x-x509-ca-cert
header (except where noted).
In CA certificates¶
Let’s Encrypt is notable here because its CA Issuers field points to a PKCS#7 file and the HTTP
response returns a Content-Type: application/x-pkcs7-mime
header.
The certificate pointed to by the CA Issuers field is the root certificate (so the Comodo DV CA points to the AddTrust CA that signed the Comodo Root CA).
CA |
Critical |
Values |
---|---|---|
Comodo |
||
Comodo DV |
✗ |
|
Comodo EV |
✗ |
|
DST X3 |
||
DigiCert EV Root |
||
DigiCert Global Root |
||
DigiCert HA Intermediate |
✗ |
|
DigiCert Secure Server |
✗ |
|
GeoTrust |
||
GlobalSign |
||
GlobalSign DV |
✗ |
|
GlobalSign R2 |
||
Go Daddy G2 |
||
Go Daddy G2 Intermediate |
✗ |
|
Google G3 |
✗ |
|
IdenTrust |
||
Let’s Encrypt X1 |
✗ |
|
Let’s Encrypt X3 |
✗ |
|
RapidSSL G3 |
✗ |
|
StartSSL |
||
StartSSL class 2 |
✗ |
|
StartSSL class 2 |
✗ |
|
TrustID Server A52 |
✗ |
|
In signed certificates¶
Let’s Encrypt is again special in that the response has a Content-Type: application/pkix-cert
header (but at least it’s in DER format like every other certificate). RapidSSL uses
Content-Type: text/plain
.
The CA Issuers field sometimes points to the signing certificate (e.g. StartSSL) or to the root CA (e.g. Comodo DV, which points to the AddTrust Root CA)
Certificate |
Critical |
Values |
---|---|---|
Comodo DV |
✗ |
|
Comodo EV |
✗ |
|
DigiCert HA Intermediate |
✗ |
|
DigiCert Secure Server |
✗ |
|
GlobalSign DV |
✗ |
|
Go Daddy G2 Intermediate |
✗ |
|
Google G3 |
✗ |
|
Let’s Encrypt X1 |
✗ |
|
Let’s Encrypt X3 |
✗ |
|
RapidSSL G3 |
✗ |
|
StartSSL class 2 |
✗ |
|
StartSSL class 3 |
✗ |
|
TrustID Server A52 |
✗ |
|
AuthorityKeyIdentifier¶
A hash identifying the CA used to sign the certificate. In theory the identifier may also be based on the issuer name and serial number, but in the wild, all certificates reference the SubjectKeyIdentifier. Self-signed certificates (e.g. Root CAs, like StartSSL and Comodo below) will reference themself, while signed certificates reference the signed CA, e.g.:
Name |
SubjectKeyIdentifier |
AuthorityKeyIdentifier |
---|---|---|
Root CA |
foo |
foo |
Intermediate CA |
bar |
foo |
Client Cert |
foobar |
bar |
In CA certificates¶
Root CAs usually have a value identical to the SubjectKeyIdentifier, but some root CAs do not include this extension at all.
CA |
Critical |
Key identifier |
Issuer |
Serial |
---|---|---|---|---|
Comodo |
||||
Comodo DV |
✗ |
BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4 |
✗ |
✗ |
Comodo EV |
✗ |
BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4 |
✗ |
✗ |
DST X3 |
||||
DigiCert EV Root |
✗ |
B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3 |
✗ |
✗ |
DigiCert Global Root |
✗ |
03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55 |
✗ |
✗ |
DigiCert HA Intermediate |
✗ |
B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3 |
✗ |
✗ |
DigiCert Secure Server |
✗ |
03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55 |
✗ |
✗ |
GeoTrust |
✗ |
C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E |
✗ |
✗ |
GlobalSign |
||||
GlobalSign DV |
✗ |
60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B |
✗ |
✗ |
GlobalSign R2 |
✗ |
9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E |
✗ |
✗ |
Go Daddy G2 |
||||
Go Daddy G2 Intermediate |
✗ |
3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE |
✗ |
✗ |
Google G3 |
✗ |
9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E |
✗ |
✗ |
IdenTrust |
||||
Let’s Encrypt X1 |
✗ |
C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 |
✗ |
✗ |
Let’s Encrypt X3 |
✗ |
C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 |
✗ |
✗ |
RapidSSL G3 |
✗ |
C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E |
✗ |
✗ |
StartSSL |
✗ |
4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2 |
✗ |
✗ |
StartSSL class 2 |
✗ |
4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2 |
✗ |
✗ |
StartSSL class 2 |
✗ |
4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2 |
✗ |
✗ |
TrustID Server A52 |
✗ |
ED:44:19:C0:D3:F0:06:8B:EE:A4:7B:BE:42:E7:26:54:C8:8E:36:76 |
✗ |
✗ |
In signed certificates¶
Certificate |
Critical |
Key identifier |
Issuer |
Serial |
---|---|---|---|---|
Comodo DV |
✗ |
90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7 |
✗ |
✗ |
Comodo EV |
✗ |
39:DA:FF:CA:28:14:8A:A8:74:13:08:B9:E4:0E:A9:D2:FA:7E:9D:69 |
✗ |
✗ |
DigiCert HA Intermediate |
✗ |
51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B |
✗ |
✗ |
DigiCert Secure Server |
✗ |
0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2 |
✗ |
✗ |
GlobalSign DV |
✗ |
EA:4E:7C:D4:80:2D:E5:15:81:86:26:8C:82:6D:C0:98:A4:CF:97:0F |
✗ |
✗ |
Go Daddy G2 Intermediate |
✗ |
40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE |
✗ |
✗ |
Google G3 |
✗ |
77:C2:B8:50:9A:67:76:76:B1:2D:C2:86:D0:83:A0:7E:A6:7E:BA:4B |
✗ |
✗ |
Let’s Encrypt X1 |
✗ |
A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 |
✗ |
✗ |
Let’s Encrypt X3 |
✗ |
A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 |
✗ |
✗ |
RapidSSL G3 |
✗ |
C3:9C:F3:FC:D3:46:08:34:BB:CE:46:7F:A0:7C:5B:F3:E2:08:CB:59 |
✗ |
✗ |
StartSSL class 2 |
✗ |
11:DB:23:45:FD:54:CC:6A:71:6F:84:8A:03:D7:BE:F7:01:2F:26:86 |
✗ |
✗ |
StartSSL class 3 |
✗ |
B1:3F:1C:92:7B:92:B0:5A:25:B3:38:FB:9C:07:A4:26:50:32:E3:51 |
✗ |
✗ |
TrustID Server A52 |
✗ |
A2:56:24:3C:D0:D4:15:B9:E8:BF:78:A3:13:10:58:48:2E:16:54:E1 |
✗ |
✗ |
BasicConstraints¶
The BasicConstraints extension specifies if the certificate can be used as a certificate authority. It is
always marked as critical. The pathlen
attribute specifies the levels of possible intermediate CAs. If not
present, the level of intermediate CAs is unlimited, a pathlen:0
means that the CA itself can not issue
certificates with CA:TRUE
itself.
In CA certificates¶
Most root CAs do not set a Path Length, while most (but not all) intermediate CAs set a Path Length of 0.
CA |
Critical |
CA |
Path length |
---|---|---|---|
Comodo |
✓ |
True |
None |
Comodo DV |
✓ |
True |
0 |
Comodo EV |
✓ |
True |
0 |
DST X3 |
✓ |
True |
None |
DigiCert EV Root |
✓ |
True |
None |
DigiCert Global Root |
✓ |
True |
None |
DigiCert HA Intermediate |
✓ |
True |
0 |
DigiCert Secure Server |
✓ |
True |
0 |
GeoTrust |
✓ |
True |
None |
GlobalSign |
✓ |
True |
None |
GlobalSign DV |
✓ |
True |
0 |
GlobalSign R2 |
✓ |
True |
None |
Go Daddy G2 |
✓ |
True |
None |
Go Daddy G2 Intermediate |
✓ |
True |
None |
Google G3 |
✓ |
True |
0 |
IdenTrust |
✓ |
True |
None |
Let’s Encrypt X1 |
✓ |
True |
0 |
Let’s Encrypt X3 |
✓ |
True |
0 |
RapidSSL G3 |
✓ |
True |
0 |
StartSSL |
✓ |
True |
None |
StartSSL class 2 |
✓ |
True |
0 |
StartSSL class 2 |
✓ |
True |
0 |
TrustID Server A52 |
✓ |
True |
None |
In signed certificates¶
Notable here that some end-user certificates do not mark this extension as critical.
Certificate |
Critical |
CA |
Path length |
---|---|---|---|
Comodo DV |
✓ |
False |
None |
Comodo EV |
✓ |
False |
None |
DigiCert HA Intermediate |
✓ |
False |
None |
DigiCert Secure Server |
✗ |
False |
None |
GlobalSign DV |
✗ |
False |
None |
Go Daddy G2 Intermediate |
✓ |
False |
None |
Google G3 |
✓ |
False |
None |
Let’s Encrypt X1 |
✓ |
False |
None |
Let’s Encrypt X3 |
✓ |
False |
None |
RapidSSL G3 |
✓ |
False |
None |
StartSSL class 2 |
✗ |
False |
None |
StartSSL class 3 |
✗ |
False |
None |
TrustID Server A52 |
CertificatePolicies¶
In CA certificates¶
CA |
Critical |
Policies |
---|---|---|
Comodo |
||
Comodo DV |
✗ |
|
Comodo EV |
✗ |
|
DST X3 |
||
DigiCert EV Root |
||
DigiCert Global Root |
||
DigiCert HA Intermediate |
✗ |
|
DigiCert Secure Server |
✗ |
|
GeoTrust |
||
GlobalSign |
||
GlobalSign DV |
✗ |
|
GlobalSign R2 |
||
Go Daddy G2 |
||
Go Daddy G2 Intermediate |
✗ |
|
Google G3 |
✗ |
|
IdenTrust |
||
Let’s Encrypt X1 |
✗ |
|
Let’s Encrypt X3 |
✗ |
|
RapidSSL G3 |
✗ |
|
StartSSL |
✗ |
|
StartSSL class 2 |
✗ |
|
StartSSL class 2 |
✗ |
|
TrustID Server A52 |
✗ |
|
In signed certificates¶
Certificate |
Critical |
Policies |
---|---|---|
Comodo DV |
✗ |
|
Comodo EV |
✗ |
|
DigiCert HA Intermediate |
✗ |
|
DigiCert Secure Server |
✗ |
|
GlobalSign DV |
✗ |
|
Go Daddy G2 Intermediate |
✗ |
|
Google G3 |
✗ |
|
Let’s Encrypt X1 |
✗ |
|
Let’s Encrypt X3 |
✗ |
|
RapidSSL G3 |
✗ |
|
StartSSL class 2 |
✗ |
|
StartSSL class 3 |
✗ |
|
TrustID Server A52 |
✗ |
|
CRLDistributionPoints¶
In theory a complex multi-valued extension, this extension usually just holds a URI pointing to a Certificate Revocation List (CRL).
Root certificate authorities (StartSSL, GeoTrust Global, GlobalSign) do not set this field. This usually isn’t a problem since clients have a list of trusted root certificates anyway, and browsers and distributions should get regular updates on the list of trusted certificates.
All CRLs linked here are all in DER/ASN1 format, and the Content-Type
header in the response is
set to application/pkix-crl
. Only Comodo uses application/x-pkcs7-crl
, but it is also in
DER/ASN1 format.
In CA certificates¶
CA |
Critical |
Names |
RDNs |
Issuer |
Reasons |
---|---|---|---|---|---|
Comodo |
|||||
Comodo DV |
✗ |
URI:http://crl.comodoca.com/COMODORSACertificationAuthority.crl |
✗ |
✗ |
✗ |
Comodo EV |
✗ |
URI:http://crl.comodoca.com/COMODORSACertificationAuthority.crl |
✗ |
✗ |
✗ |
DST X3 |
|||||
DigiCert EV Root |
|||||
DigiCert Global Root |
|||||
DigiCert HA Intermediate |
✗ |
URI:http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl |
✗ |
✗ |
✗ |
DigiCert Secure Server |
✗ |
URI:http://crl3.digicert.com/DigiCertGlobalRootCA.crl |
✗ |
✗ |
✗ |
URI:http://crl4.digicert.com/DigiCertGlobalRootCA.crl |
✗ |
✗ |
✗ |
||
GeoTrust |
|||||
GlobalSign |
|||||
GlobalSign DV |
✗ |
URI:http://crl.globalsign.net/root.crl |
✗ |
✗ |
✗ |
GlobalSign R2 |
✗ |
URI:http://crl.globalsign.net/root-r2.crl |
✗ |
✗ |
✗ |
Go Daddy G2 |
|||||
Go Daddy G2 Intermediate |
✗ |
URI:http://crl.godaddy.com/gdroot-g2.crl |
✗ |
✗ |
✗ |
Google G3 |
✗ |
URI:http://crl.pki.goog/gsr2/gsr2.crl |
✗ |
✗ |
✗ |
IdenTrust |
|||||
Let’s Encrypt X1 |
✗ |
URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl |
✗ |
✗ |
✗ |
Let’s Encrypt X3 |
✗ |
URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl |
✗ |
✗ |
✗ |
RapidSSL G3 |
✗ |
URI:http://g.symcb.com/crls/gtglobal.crl |
✗ |
✗ |
✗ |
StartSSL |
|||||
StartSSL class 2 |
✗ |
URI:http://crl.startssl.com/sfsca.crl |
✗ |
✗ |
✗ |
StartSSL class 2 |
✗ |
URI:http://crl.startssl.com/sfsca.crl |
✗ |
✗ |
✗ |
TrustID Server A52 |
✗ |
URI:http://validation.identrust.com/crl/commercialrootca1.crl |
✗ |
✗ |
✗ |
In signed certificates¶
Let’s Encrypt is so far the only CA that does not maintain a CRL for signed certificates. Major CAs usually don’t fancy CRLs much because they are a large file (e.g. the CRL from Comodo is 1.5MB) containing all certificates and cause major traffic for CAs. OCSP is just better in every way.
Certificate |
Critical |
Names |
RDNs |
Issuer |
Reasons |
---|---|---|---|---|---|
Comodo DV |
✗ |
URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl |
✗ |
✗ |
✗ |
Comodo EV |
✗ |
URI:http://crl.comodoca.com/COMODORSAExtendedValidationSecureServerCA.crl |
✗ |
✗ |
✗ |
DigiCert HA Intermediate |
✗ |
URI:http://crl3.digicert.com/sha2-ha-server-g6.crl |
✗ |
✗ |
✗ |
URI:http://crl4.digicert.com/sha2-ha-server-g6.crl |
✗ |
✗ |
✗ |
||
DigiCert Secure Server |
✗ |
URI:http://crl3.digicert.com/ssca-sha2-g6.crl |
✗ |
✗ |
✗ |
URI:http://crl4.digicert.com/ssca-sha2-g6.crl |
✗ |
✗ |
✗ |
||
GlobalSign DV |
✗ |
URI:http://crl.globalsign.com/gs/gsdomainvalsha2g2.crl |
✗ |
✗ |
✗ |
Go Daddy G2 Intermediate |
✗ |
URI:http://crl.godaddy.com/gdig2s1-1015.crl |
✗ |
✗ |
✗ |
Google G3 |
✗ |
URI:http://crl.pki.goog/GTSGIAG3.crl |
✗ |
✗ |
✗ |
Let’s Encrypt X1 |
|||||
Let’s Encrypt X3 |
|||||
RapidSSL G3 |
✗ |
URI:http://gv.symcb.com/gv.crl |
✗ |
✗ |
✗ |
StartSSL class 2 |
✗ |
URI:http://crl.startssl.com/crt2-crl.crl |
✗ |
✗ |
✗ |
StartSSL class 3 |
✗ |
URI:http://crl.startssl.com/sca-server3.crl |
✗ |
✗ |
✗ |
TrustID Server A52 |
✗ |
URI:http://validation.identrust.com/crl/trustidcaa52.crl |
✗ |
✗ |
✗ |
ExtendedKeyUsage¶
A list of purposes for which the certificate can be used for. CA certificates usually do not set this field.
In CA certificates¶
CA |
Critical |
Usages |
---|---|---|
Comodo |
||
Comodo DV |
✗ |
serverAuth, clientAuth |
Comodo EV |
||
DST X3 |
||
DigiCert EV Root |
||
DigiCert Global Root |
||
DigiCert HA Intermediate |
✗ |
serverAuth, clientAuth |
DigiCert Secure Server |
||
GeoTrust |
||
GlobalSign |
||
GlobalSign DV |
||
GlobalSign R2 |
||
Go Daddy G2 |
||
Go Daddy G2 Intermediate |
||
Google G3 |
✗ |
serverAuth, clientAuth |
IdenTrust |
||
Let’s Encrypt X1 |
||
Let’s Encrypt X3 |
||
RapidSSL G3 |
||
StartSSL |
||
StartSSL class 2 |
✗ |
clientAuth, serverAuth |
StartSSL class 2 |
||
TrustID Server A52 |
✗ |
serverAuth, clientAuth, Unknown OID, Unknown OID, Unknown OID |
In signed certificates¶
Certificate |
Critical |
Usages |
---|---|---|
Comodo DV |
✗ |
serverAuth, clientAuth |
Comodo EV |
✗ |
serverAuth, clientAuth |
DigiCert HA Intermediate |
✗ |
serverAuth, clientAuth |
DigiCert Secure Server |
✗ |
serverAuth, clientAuth |
GlobalSign DV |
✗ |
serverAuth, clientAuth |
Go Daddy G2 Intermediate |
✗ |
serverAuth, clientAuth |
Google G3 |
✗ |
serverAuth |
Let’s Encrypt X1 |
✗ |
serverAuth, clientAuth |
Let’s Encrypt X3 |
✗ |
serverAuth, clientAuth |
RapidSSL G3 |
✗ |
serverAuth, clientAuth |
StartSSL class 2 |
✗ |
clientAuth, serverAuth |
StartSSL class 3 |
✗ |
clientAuth, serverAuth |
TrustID Server A52 |
✗ |
serverAuth, clientAuth |
IssuerAlternativeName¶
Only StartSSL sets this field in its signed certificates. It’s a URI pointing to their homepage.
In CA certificates¶
CA |
Critical |
---|---|
Comodo |
|
Comodo DV |
|
Comodo EV |
|
DST X3 |
|
DigiCert EV Root |
|
DigiCert Global Root |
|
DigiCert HA Intermediate |
|
DigiCert Secure Server |
|
GeoTrust |
|
GlobalSign |
|
GlobalSign DV |
|
GlobalSign R2 |
|
Go Daddy G2 |
|
Go Daddy G2 Intermediate |
|
Google G3 |
|
IdenTrust |
|
Let’s Encrypt X1 |
|
Let’s Encrypt X3 |
|
RapidSSL G3 |
|
StartSSL |
|
StartSSL class 2 |
|
StartSSL class 2 |
|
TrustID Server A52 |
In signed certificates¶
Certificate |
Critical |
Names |
---|---|---|
Comodo DV |
||
Comodo EV |
||
DigiCert HA Intermediate |
||
DigiCert Secure Server |
||
GlobalSign DV |
||
Go Daddy G2 Intermediate |
||
Google G3 |
||
Let’s Encrypt X1 |
||
Let’s Encrypt X3 |
||
RapidSSL G3 |
||
StartSSL class 2 |
✗ |
URI:http://www.startssl.com/ |
StartSSL class 3 |
✗ |
URI:http://www.startssl.com/ |
TrustID Server A52 |
KeyUsage¶
List of permitted key usages. Usually marked as critical, except for certificates signed by StartSSL.
In CA certificates¶
CA |
Critical |
cRLSign |
dataEncipherment |
decipherOnly |
digitalSignature |
encipherOnly |
keyAgreement |
keyCertSign |
keyEncipherment |
nonRepudiation |
---|---|---|---|---|---|---|---|---|---|---|
Comodo |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
Comodo DV |
✓ |
✓ |
✗ |
✗ |
✓ |
✗ |
✗ |
✓ |
✗ |
✗ |
Comodo EV |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
DST X3 |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
DigiCert EV Root |
✓ |
✓ |
✗ |
✗ |
✓ |
✗ |
✗ |
✓ |
✗ |
✗ |
DigiCert Global Root |
✓ |
✓ |
✗ |
✗ |
✓ |
✗ |
✗ |
✓ |
✗ |
✗ |
DigiCert HA Intermediate |
✓ |
✓ |
✗ |
✗ |
✓ |
✗ |
✗ |
✓ |
✗ |
✗ |
DigiCert Secure Server |
✓ |
✓ |
✗ |
✗ |
✓ |
✗ |
✗ |
✓ |
✗ |
✗ |
GeoTrust |
||||||||||
GlobalSign |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
GlobalSign DV |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
GlobalSign R2 |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
Go Daddy G2 |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
Go Daddy G2 Intermediate |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
Google G3 |
✓ |
✓ |
✗ |
✗ |
✓ |
✗ |
✗ |
✓ |
✗ |
✗ |
IdenTrust |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
Let’s Encrypt X1 |
✓ |
✓ |
✗ |
✗ |
✓ |
✗ |
✗ |
✓ |
✗ |
✗ |
Let’s Encrypt X3 |
✓ |
✓ |
✗ |
✗ |
✓ |
✗ |
✗ |
✓ |
✗ |
✗ |
RapidSSL G3 |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
StartSSL |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
StartSSL class 2 |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
StartSSL class 2 |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
TrustID Server A52 |
✓ |
✓ |
✗ |
✗ |
✓ |
✗ |
✗ |
✓ |
✗ |
✗ |
In signed certificates¶
Certificate |
Critical |
cRLSign |
dataEncipherment |
decipherOnly |
digitalSignature |
encipherOnly |
keyAgreement |
keyCertSign |
keyEncipherment |
nonRepudiation |
---|---|---|---|---|---|---|---|---|---|---|
Comodo DV |
✓ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
✗ |
✓ |
✗ |
Comodo EV |
✓ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
✗ |
✓ |
✗ |
DigiCert HA Intermediate |
✓ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
✗ |
✓ |
✗ |
DigiCert Secure Server |
✓ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
✗ |
✓ |
✗ |
GlobalSign DV |
✓ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
✗ |
✓ |
✗ |
Go Daddy G2 Intermediate |
✓ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
✗ |
✓ |
✗ |
Google G3 |
✓ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
Let’s Encrypt X1 |
✓ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
✗ |
✓ |
✗ |
Let’s Encrypt X3 |
✓ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
✗ |
✓ |
✗ |
RapidSSL G3 |
✓ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
✗ |
✓ |
✗ |
StartSSL class 2 |
✗ |
✗ |
✗ |
✗ |
✓ |
✗ |
✓ |
✗ |
✓ |
✗ |
StartSSL class 3 |
✗ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
✗ |
✓ |
✗ |
TrustID Server A52 |
✓ |
✗ |
✗ |
✗ |
✓ |
✗ |
✗ |
✗ |
✓ |
✗ |
NameConstraints¶
This extension is only valid in CAs and must be marked as critical, according to RFC 5280.
Only the expired Let’s Encrypt X1 sets this extension to exclude .mil, and does not set this extension as critical.
In CA certificates¶
CA |
Critical |
Permitted |
Excluded |
---|---|---|---|
Comodo |
|||
Comodo DV |
|||
Comodo EV |
|||
DST X3 |
|||
DigiCert EV Root |
|||
DigiCert Global Root |
|||
DigiCert HA Intermediate |
|||
DigiCert Secure Server |
|||
GeoTrust |
|||
GlobalSign |
|||
GlobalSign DV |
|||
GlobalSign R2 |
|||
Go Daddy G2 |
|||
Go Daddy G2 Intermediate |
|||
Google G3 |
|||
IdenTrust |
|||
Let’s Encrypt X1 |
✗ |
✗ |
|
Let’s Encrypt X3 |
|||
RapidSSL G3 |
|||
StartSSL |
|||
StartSSL class 2 |
|||
StartSSL class 2 |
|||
TrustID Server A52 |
In signed certificates¶
Certificate |
Critical |
---|---|
Comodo DV |
|
Comodo EV |
|
DigiCert HA Intermediate |
|
DigiCert Secure Server |
|
GlobalSign DV |
|
Go Daddy G2 Intermediate |
|
Google G3 |
|
Let’s Encrypt X1 |
|
Let’s Encrypt X3 |
|
RapidSSL G3 |
|
StartSSL class 2 |
|
StartSSL class 3 |
|
TrustID Server A52 |
PrecertificateSignedCertificateTimestamps¶
This extension is used for Certificate Transparency and only makes sense in client certificates. It is usually not marked as critical (since many clients do not support Certificate Transparency).
In CA certificates¶
CA |
Critical |
---|---|
Comodo |
|
Comodo DV |
|
Comodo EV |
|
DST X3 |
|
DigiCert EV Root |
|
DigiCert Global Root |
|
DigiCert HA Intermediate |
|
DigiCert Secure Server |
|
GeoTrust |
|
GlobalSign |
|
GlobalSign DV |
|
GlobalSign R2 |
|
Go Daddy G2 |
|
Go Daddy G2 Intermediate |
|
Google G3 |
|
IdenTrust |
|
Let’s Encrypt X1 |
|
Let’s Encrypt X3 |
|
RapidSSL G3 |
|
StartSSL |
|
StartSSL class 2 |
|
StartSSL class 2 |
|
TrustID Server A52 |
In signed certificates¶
Certificate |
Critical |
Value |
---|---|---|
Comodo DV |
||
Comodo EV |
✗ |
|
DigiCert HA Intermediate |
✗ |
|
DigiCert Secure Server |
✗ |
|
GlobalSign DV |
||
Go Daddy G2 Intermediate |
✗ |
|
Google G3 |
||
Let’s Encrypt X1 |
||
Let’s Encrypt X3 |
✗ |
|
RapidSSL G3 |
||
StartSSL class 2 |
||
StartSSL class 3 |
||
TrustID Server A52 |
SubjectAlternativeName¶
The SubjectAlternativeName extension is not present in any CA certificate, and of course whatever the customer requests in signed certificates.
In CA certificates¶
CA |
Value |
---|---|
Let’s Encrypt |
|
StartSSL |
|
StartSSL Class 2 |
|
StartSSL Class 3 |
|
GeoTrust Global |
|
RapidSSL G3 |
|
Comodo |
|
Comodo DV |
|
GlobalSign |
|
GlobalSign DV |
SubjectKeyIdentifier¶
The SubjectKeyIdentifier extension provides a means of identifying certificates. It is a mandatory extension for CA certificates. Currently only RapidSSL does not set this for signed certificates.
The value of the SubjectKeyIdentifier extension reappears in the AuthorityKeyIdentifier extension.
In CA certificates¶
CA |
Critical |
Digest |
---|---|---|
Comodo |
✗ |
BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4 |
Comodo DV |
✗ |
90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7 |
Comodo EV |
✗ |
39:DA:FF:CA:28:14:8A:A8:74:13:08:B9:E4:0E:A9:D2:FA:7E:9D:69 |
DST X3 |
✗ |
C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 |
DigiCert EV Root |
✗ |
B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3 |
DigiCert Global Root |
✗ |
03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55 |
DigiCert HA Intermediate |
✗ |
51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B |
DigiCert Secure Server |
✗ |
0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2 |
GeoTrust |
✗ |
C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E |
GlobalSign |
✗ |
60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B |
GlobalSign DV |
✗ |
EA:4E:7C:D4:80:2D:E5:15:81:86:26:8C:82:6D:C0:98:A4:CF:97:0F |
GlobalSign R2 |
✗ |
9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E |
Go Daddy G2 |
✗ |
3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE |
Go Daddy G2 Intermediate |
✗ |
40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE |
Google G3 |
✗ |
77:C2:B8:50:9A:67:76:76:B1:2D:C2:86:D0:83:A0:7E:A6:7E:BA:4B |
IdenTrust |
✗ |
ED:44:19:C0:D3:F0:06:8B:EE:A4:7B:BE:42:E7:26:54:C8:8E:36:76 |
Let’s Encrypt X1 |
✗ |
A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 |
Let’s Encrypt X3 |
✗ |
A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 |
RapidSSL G3 |
✗ |
C3:9C:F3:FC:D3:46:08:34:BB:CE:46:7F:A0:7C:5B:F3:E2:08:CB:59 |
StartSSL |
✗ |
4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2 |
StartSSL class 2 |
✗ |
B1:3F:1C:92:7B:92:B0:5A:25:B3:38:FB:9C:07:A4:26:50:32:E3:51 |
StartSSL class 2 |
✗ |
11:DB:23:45:FD:54:CC:6A:71:6F:84:8A:03:D7:BE:F7:01:2F:26:86 |
TrustID Server A52 |
✗ |
A2:56:24:3C:D0:D4:15:B9:E8:BF:78:A3:13:10:58:48:2E:16:54:E1 |
In signed certificates¶
Certificate |
Critical |
Digest |
---|---|---|
Comodo DV |
✗ |
F2:CB:1F:E9:6E:D5:43:E3:85:75:98:5F:97:7C:B0:59:7F:D5:C0:C0 |
Comodo EV |
✗ |
44:3E:73:30:EB:0B:1B:A7:A7:9D:0F:DA:79:96:4D:1A:87:E9:9D:21 |
DigiCert HA Intermediate |
✗ |
56:F7:45:D4:84:D1:3C:95:AD:58:14:2E:F4:D1:CC:2F:11:C0:73:F6 |
DigiCert Secure Server |
✗ |
08:D7:53:9D:80:0B:FA:B0:39:7E:74:D8:55:DD:A7:EB:C8:BE:16:9C |
GlobalSign DV |
✗ |
52:5A:45:5B:D4:9D:AC:65:30:BD:67:80:6C:D1:A1:3E:09:F7:FD:92 |
Go Daddy G2 Intermediate |
✗ |
2E:30:1A:46:41:F0:E8:1B:72:02:59:41:8A:CF:9D:1B:FA:98:8D:9E |
Google G3 |
✗ |
1F:0D:A6:EA:EA:2B:6E:96:1B:5C:99:B5:C3:3D:6F:5F:4B:0D:BE:9F |
Let’s Encrypt X1 |
✗ |
F4:F3:B8:F5:43:90:2E:A2:7F:DD:51:4A:5F:3E:AC:FB:F1:33:EE:95 |
Let’s Encrypt X3 |
✗ |
77:37:2D:FC:89:22:11:A0:61:E0:AC:6C:F4:1D:98:31:1B:B2:B3:88 |
RapidSSL G3 |
||
StartSSL class 2 |
✗ |
C7:AA:D9:A4:F0:BC:D1:C1:1B:05:D2:19:71:0A:86:F8:58:0F:F0:99 |
StartSSL class 3 |
✗ |
F0:72:65:5E:21:AA:16:76:2C:6F:D0:63:53:0C:68:D5:89:50:2A:73 |
TrustID Server A52 |
✗ |
BE:59:F0:29:27:4B:FC:0A:81:52:7C:DF:CD:02:D8:8F:A8:E5:C2:24 |
Other extensions¶
Extensions used by certificates encountered in the wild that django-ca does not (yet) support in any way.
In CA certificates¶
Currently only the old StartSSL root CA has any unknown extension.
CA |
Extensions |
---|---|
StartSSL |
|
CRL Extensions¶
The values of extensions and values of CRLs found in the wild.
CRL |
Source |
Last accessed |
Info |
---|---|---|---|
Comodo EV (user) |
2019-04-21 |
CRL in Comodo EV end user certificates |
|
DigiCert HA Intermediate/ca |
2019-04-21 |
CRL in DigiCert HA Intermediate |
|
DigiCert HA Intermediate/user |
2019-04-21 |
CRL DigiCert HA Intermediate end user certificates |
|
GlobalSign R2/ca |
2019-04-19 |
CRL in GlobalSign R2 |
|
Go Daddy G2/ca |
2019-04-19 |
CRL in Go Daddy G2 intermediate CA |
|
Go Daddy G2/user |
2019-04-19 |
CRL in Go Daddy G2 end user certificates |
|
Google G3/ca |
2019-04-19 |
CRL in Google G3 CA |
|
Google G3/user |
2019-04-19 |
CRL in Google G3 end user certificates |
|
Let’s Encrypt Authority X3/ca |
2019-04-19 |
CRL in Let’s Encrypt X3 |
|
TrustID Server A52/ca |
2019-04-21 |
CRL in TrustID Server A52 |
|
TrustID Server A52/user |
2019-04-21 |
CRL TrustID Server A52 end user certificates |
Data¶
CRL |
Update freq. |
hash |
---|---|---|
Comodo EV (user) |
4 days, 0:00:00 |
SHA-256 |
DigiCert HA Intermediate/ca |
21 days, 0:00:00 |
SHA-256 |
DigiCert HA Intermediate/user |
7 days, 0:00:00 |
SHA-256 |
GlobalSign R2/ca |
197 days, 0:00:00 |
SHA-256 |
Go Daddy G2/ca |
365 days, 0:00:00 |
SHA-256 |
Go Daddy G2/user |
7 days, 0:00:00 |
SHA-256 |
Google G3/ca |
197 days, 0:00:00 |
SHA-256 |
Google G3/user |
10 days, 0:00:00 |
SHA-256 |
Let’s Encrypt Authority X3/ca |
30 days, 0:00:00 |
SHA-1 |
TrustID Server A52/ca |
30 days, 0:00:00 |
SHA-256 |
TrustID Server A52/user |
1 day, 0:00:00 |
SHA-256 |
Issuer¶
CRL |
Issuer Name |
---|---|
Comodo EV (user) |
|
DigiCert HA Intermediate/ca |
|
DigiCert HA Intermediate/user |
|
GlobalSign R2/ca |
|
Go Daddy G2/ca |
|
Go Daddy G2/user |
|
Google G3/ca |
|
Google G3/user |
|
Let’s Encrypt Authority X3/ca |
|
TrustID Server A52/ca |
|
TrustID Server A52/user |
|
AuthorityKeyIdentifier¶
The value of this extension matches the SubjectKeyIdentifier of the CA that signed the CRL.
CRL |
key_identifier |
cert_issuer |
cert_serial |
---|---|---|---|
Comodo EV (user) |
39:DA:FF:CA:28:14:8A:A8:74:13:08:B9:E4:0E:A9:D2:FA:7E:9D:69 |
✗ |
✗ |
DigiCert HA Intermediate/ca |
B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3 |
✗ |
✗ |
DigiCert HA Intermediate/user |
51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B |
✗ |
✗ |
GlobalSign R2/ca |
9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E |
✗ |
✗ |
Go Daddy G2/ca |
|||
Go Daddy G2/user |
40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE |
|
7 |
Google G3/ca |
9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E |
✗ |
✗ |
Google G3/user |
77:C2:B8:50:9A:67:76:76:B1:2D:C2:86:D0:83:A0:7E:A6:7E:BA:4B |
✗ |
✗ |
Let’s Encrypt Authority X3/ca |
C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 |
✗ |
✗ |
TrustID Server A52/ca |
ED:44:19:C0:D3:F0:06:8B:EE:A4:7B:BE:42:E7:26:54:C8:8E:36:76 |
✗ |
✗ |
TrustID Server A52/user |
A2:56:24:3C:D0:D4:15:B9:E8:BF:78:A3:13:10:58:48:2E:16:54:E1 |
✗ |
✗ |
cRLNumber¶
CRL |
number |
---|---|
Comodo EV (user) |
2631 |
DigiCert HA Intermediate/ca |
449 |
DigiCert HA Intermediate/user |
537 |
GlobalSign R2/ca |
31 |
Go Daddy G2/ca |
|
Go Daddy G2/user |
24 |
Google G3/ca |
31 |
Google G3/user |
672 |
Let’s Encrypt Authority X3/ca |
197 |
TrustID Server A52/ca |
83 |
TrustID Server A52/user |
4193 |
IssuingDistributionPoint¶
CRL |
full name |
relative name |
only attribute certs |
only ca certs |
only user certs |
reasons |
indirect CRL |
---|---|---|---|---|---|---|---|
Comodo EV (user) |
|||||||
DigiCert HA Intermediate/ca |
|||||||
DigiCert HA Intermediate/user |
URI:http://crl3.digicert.com/sha2-ha-server-g6.crl |
✗ |
✗ |
✗ |
✗ |
✗ |
✗ |
GlobalSign R2/ca |
|||||||
Go Daddy G2/ca |
|||||||
Go Daddy G2/user |
URI:http://crl.godaddy.com/gdig2s1-1015.crl |
✗ |
✗ |
✗ |
✗ |
✗ |
✗ |
Google G3/ca |
|||||||
Google G3/user |
|||||||
Let’s Encrypt Authority X3/ca |
|||||||
TrustID Server A52/ca |
|||||||
TrustID Server A52/user |