CA Certificate types

gistfile1.md

1.1.2.1 CA Certificates

A certificate is a CA certificate if basicConstraints extension is present and has cA:TRUE.

1.1.2.1.1 Self-signed CA Certificates

A certificate is a Self-signed CA certificate if the following are true:

• The basicConstraints extension is present and has cA:TRUE
• The subject and issuer DNs of the certificate match
• The certificate signature is validated by the subject public key

1.1.2.1.2 Subordinate CA Certificates

A certificate is a Subordinate CA certificate if it is a CA certificate but not a Sign-signed CA certificate.

1.1.2.1.3 Terminus CA Certificates

A certificate is a Terminus CA certificate if the basicConstraints extension is present and has cA:TRUE and the pathLenConstraint is present and set to 0 (zero).

1.1.2.1.4 Policy CA Certificates

A certificate is a Policy CA certificate if it is a CA certificate and is not a Terminus CA certificate.

1.1.2.1.5 Technically Constrained CA Certificates

A certificate is a Technically Constrained CA certificate if it is a CA certificate and it meets the requirements in section 7.1.5.

1.1.2.1.6 Unconstrained CA Certificates

A certificate is an Unconstrained CA certificate if it is a CA certificate and is not a Technically Constrained CA certificate.

1.1.2.1.7 Root CA Certificates

A certificate is a Root CA certificate if it an Unconstrained Policy CA certificate and is designated by the CA as a Root CA in the CA's CPS

CA cert -> "if basicConstraints extension is present and has cA:TRUE or the Version is either omitted or set to 0"

That is, if we're assuming in-scope non-compliance with the BRs, than an X.509 v1 cert is capable of issuing certs.