Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
RFC 5280
Document | Type | RFC - Proposed Standard (May 2008; Errata) | |
---|---|---|---|
Authors | Sharon Boeyen , Stefan Santesson , Tim Polk , Russ Housley , Stephen Farrell , Dave Cooper | ||
Last updated | 2020-01-21 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 5280 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Sam Hartman | ||
Send notices to | tim.polk@nist.gov, housley@vigilsec.com |
Network Working Group D. Cooper Request for Comments: 5280 NIST Obsoletes: 3280, 4325, 4630 S. Santesson Category: Standards Track Microsoft S. Farrell Trinity College Dublin S. Boeyen Entrust R. Housley Vigil Security W. Polk NIST May 2008 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Abstract This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. Cooper, et al. Standards Track [Page 1] RFC 5280 PKIX Certificate and CRL Profile May 2008 Table of Contents 1. Introduction ....................................................4 2. Requirements and Assumptions ....................................6 2.1. Communication and Topology .................................7 2.2. Acceptability Criteria .....................................7 2.3. User Expectations ..........................................7 2.4. Administrator Expectations .................................8 3. Overview of Approach ............................................8 3.1. X.509 Version 3 Certificate ................................9 3.2. Certification Paths and Trust .............................10 3.3. Revocation ................................................13 3.4. Operational Protocols .....................................14 3.5. Management Protocols ......................................14 4. Certificate and Certificate Extensions Profile .................16 4.1. Basic Certificate Fields ..................................16 4.1.1. Certificate Fields .................................17 4.1.1.1. tbsCertificate ............................18 4.1.1.2. signatureAlgorithm ........................18 4.1.1.3. signatureValue ............................18 4.1.2. TBSCertificate .....................................18 4.1.2.1. Version ...................................19 4.1.2.2. Serial Number .............................19 4.1.2.3. Signature .................................19 4.1.2.4. Issuer ....................................20 4.1.2.5. Validity ..................................22 4.1.2.5.1. UTCTime ........................23 4.1.2.5.2. GeneralizedTime ................23 4.1.2.6. Subject ...................................23 4.1.2.7. Subject Public Key Info ...................25 4.1.2.8. Unique Identifiers ........................25 4.1.2.9. Extensions ................................26 4.2. Certificate Extensions ....................................26 4.2.1. Standard Extensions ................................27 4.2.1.1. Authority Key Identifier ..................27 4.2.1.2. Subject Key Identifier ....................28 4.2.1.3. Key Usage .................................29 4.2.1.4. Certificate Policies ......................32Show full document text