X509 Certificate Policies extension
Hi all We have a three tire PKI hierarchy: Root CA, Intermediate CA and Issuing CAs. Our intermediate CA has its own CPS(Certificate Practice Statement) but uses root's CP(Certificate Policy). The problem is which OID should be used in the "certificate policies" extension of our new issuing CA's certificates and end entity's certificate? I have done some research and according to RFC 5280 the OID should point to the policies which the certificate was issued under. Also I found out that this extension is used in path validation algorithms. which OID should this extension point to? CP's or CPS's? which one is the best practice?
May 28th, 2012 2:23pm

The extensions should point to CP OIDs (defining each assurance level available in issued certificate). In a 3 tiered hierarchy, I would do the following (assuming three assurance levels). Root: All Issuance Policies Policy tier:LowOID, MediumOID, HighOID Issuing CA 1: LowOID, MediumOID, HighOID (or simply one OID or two OIDs from the selection) Issuing CA 2: LowOID, MediumOID, HighOID (or simply one OID or two OIDs from the selection) Brian
Free Windows Admin Tool Kit Click here and download it now
May 28th, 2012 4:24pm

Thanks for the reply Our Root has just one CP and therefore one OID. also we have four levels of assurance: Platinum, Gold, Silver and Bronze which exist in another document (not CPS nor CP). In that document there is an OID defined for each usage (digital signature, confidentiality and authentication) in each level of assurance. In this scenario which OID should we use in CA certificates and EE certificates? CP's OID or the OID's which I just said about? BTW: Do you mean intermediate CAs by Policy tier?
May 29th, 2012 1:43am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics