Skip to content

Instantly share code, notes, and snippets.

@pzb
Created March 25, 2015 02:45
Show Gist options
  • Save pzb/fe0d06bb292506c1db7f to your computer and use it in GitHub Desktop.
Save pzb/fe0d06bb292506c1db7f to your computer and use it in GitHub Desktop.
CA Certificate types

1.1.2.1 CA Certificates

A certificate is a CA certificate if basicConstraints extension is present and has cA:TRUE.

1.1.2.1.1 Self-signed CA Certificates

A certificate is a Self-signed CA certificate if the following are true:

  • The basicConstraints extension is present and has cA:TRUE
  • The subject and issuer DNs of the certificate match
  • The certificate signature is validated by the subject public key
1.1.2.1.2 Subordinate CA Certificates

A certificate is a Subordinate CA certificate if it is a CA certificate but not a Sign-signed CA certificate.

1.1.2.1.3 Terminus CA Certificates

A certificate is a Terminus CA certificate if the basicConstraints extension is present and has cA:TRUE and the pathLenConstraint is present and set to 0 (zero).

1.1.2.1.4 Policy CA Certificates

A certificate is a Policy CA certificate if it is a CA certificate and is not a Terminus CA certificate.

1.1.2.1.5 Technically Constrained CA Certificates

A certificate is a Technically Constrained CA certificate if it is a CA certificate and it meets the requirements in section 7.1.5.

1.1.2.1.6 Unconstrained CA Certificates

A certificate is an Unconstrained CA certificate if it is a CA certificate and is not a Technically Constrained CA certificate.

1.1.2.1.7 Root CA Certificates

A certificate is a Root CA certificate if it an Unconstrained Policy CA certificate and is designated by the CA as a Root CA in the CA's CPS

@sleevi
Copy link

sleevi commented Mar 25, 2015

CA cert -> "if basicConstraints extension is present and has cA:TRUE or the Version is either omitted or set to 0"

That is, if we're assuming in-scope non-compliance with the BRs, than an X.509 v1 cert is capable of issuing certs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment