in2EPS
IETF RFC index  ~~  Areas/Groups  ~~  Stats  ~~  SIP  ~~  SEC  ~~  QoS
3GPP TS/TR series  ~~  Glossaries  ~~  RELxx  ~~  EPC  ~~  IMS  ~~  subsData  ~~  UICC
ETSI SCP  ~~  SmartM2M  ~~  LI  ~~  INT  ~~  TISPAN
 
›  Info
›  Search

Security topics

Attacks on Services Message Authentication Codes
Secret-Key Cryptography Digital Signatures
Public-Key Cryptography Diffie-Hellman Key Agreement
Hash Functions
 
ASN.1 for PKIX
Examples: Certificates and CRL
ASN.1 for CMS
Examples: CMS objects and S/MIME messages
 
SSL examples
Historical PDFs about IPsec
 
 

PKIX – Public-Key Infrastructure (X.509):
ASN.1 definitions for PKIX Certificate and Certificate Revocation List (CRL)

RFC 5280 (that obsoletes RFC 3280) develops a profile to facilitate the use of X.509 certificates within Internet applications for those communities wishing to make use of X.509 technology. Such applications may include WWW, electronic mail, user authentication, and IPsec. In order to relieve some of the obstacles to using X.509 certificates, RFC 5280 defines a profile to promote the development of certificate management systems, development of application tools, and interoperability determined by policy.

Some communities will need to supplement, or possibly replace, this profile in order to meet the requirements of specialized application domains or environments with additional authorization, assurance, or operational requirements.

Note: In the following ASN.1 definitions, "[tag] Type" is to be interpreted as "[tag] IMPLICIT Type".
Top Certificate  Certificate Extensions  CRL  CRL Extensions
CRL Entry Extensions  Naming  Algorithm Identifiers

ASN.1 for Certificate

Certificate::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING }
TBSCertificate::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
   -- If present, version MUST be v2 or v3
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
   -- If present, version MUST be v2 or v3
extensions [3] EXPLICIT Extensions OPTIONAL
   -- If present, version MUST be v3 -- }
Version::= INTEGER { v1(0), v2(1), v3(2) }
CertificateSerialNumber::= INTEGER
Validity::= SEQUENCE {
notBefore Time,
notAfter Time }
Time::= CHOICE {
utcTime UTCTime,
generalTime GeneralizedTime }
UniqueIdentifier::= BIT STRING
SubjectPublicKeyInfo::= SEQUENCE {
algorithm AlgorithmIdentifier,
subjectPublicKey BIT STRING }
Extensions::= SEQUENCE SIZE (1..MAX) OF Extension
Extension::= SEQUENCE {
extnID OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING }
Top Certificate  Certificate Extensions  CRL  CRL Extensions
CRL Entry Extensions  Naming  Algorithm Identifiers

ASN.1 for Certificate Extensions

id-ceOBJECT IDENTIFIER ::= {   joint-iso-ccitt(2)   ds(5)   29   }
id-pkixOBJECT IDENTIFIER ::=
  {   iso(1)   identified-organization(3)   dod(6)   internet(1)   security(5)   mechanisms(5)   pkix(7)   }
id-peOBJECT IDENTIFIER ::= {   id-pkix   1   }   -- arc for private certificate extensions
Authority Key Identifier     # Subject Key Identifier     # Key Usage     # Private Key Usage Period     # Certificate Policies     # Policy Mappings
    # Subject Alternative Name     # Issuer Alternative Name     # Subject Directory Attributes     # Basic Constraints     # Name Constraints     # Policy Constraints
    # Extended Key Usage     # CRL Distribution Points     # Inhibit Any-Policy     # Freshest CRL     # Authority Information Access     # Subject Information Access

Authority Key Identifier Certificate Extension

  Up 
The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a certificate. This extension is used where an issuer has multiple signing keys (either due to multiple concurrent key pairs or due to changeover). The identification MAY be based on either the key identifier (the subject key identifier in the issuer's certificate) or on the issuer name and serial number.
id-ce-authorityKeyIdentifierOBJECT IDENTIFIER ::= {   id-ce   35   }
AuthorityKeyIdentifier::= SEQUENCE {
keyIdentifier [0] KeyIdentifier OPTIONAL,
authorityCertIssuer [1] GeneralNames OPTIONAL,
authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
-- authorityCertIssuer and authorityCertSerialNumber MUST both
-- be present or both be absent
KeyIdentifier::= OCTET STRING
Authority Key Identifier     # Subject Key Identifier     # Key Usage     # Private Key Usage Period     # Certificate Policies     # Policy Mappings
    # Subject Alternative Name     # Issuer Alternative Name     # Subject Directory Attributes     # Basic Constraints     # Name Constraints     # Policy Constraints
    # Extended Key Usage     # CRL Distribution Points     # Inhibit Any-Policy     # Freshest CRL     # Authority Information Access     # Subject Information Access

Subject Key Identifier Certificate Extension

  Up 
The subject key identifier extension provides a means of identifying certificates that contain a particular public key.
id-ce-subjectKeyIdentifierOBJECT IDENTIFIER ::= {   id-ce   14   }
SubjectKeyIdentifier::= KeyIdentifier
Authority Key Identifier     # Subject Key Identifier     # Key Usage     # Private Key Usage Period     # Certificate Policies     # Policy Mappings
    # Subject Alternative Name     # Issuer Alternative Name     # Subject Directory Attributes     # Basic Constraints     # Name Constraints     # Policy Constraints
    # Extended Key Usage     # CRL Distribution Points     # Inhibit Any-Policy     # Freshest CRL     # Authority Information Access     # Subject Information Access

Key Usage Certificate Extension

  Up 
The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. When this extension appears, it SHOULD be marked critical.
id-ce-keyUsageOBJECT IDENTIFIER ::= {   id-ce   15   }
KeyUsage::= BIT STRING {
digitalSignature (0),
nonRepudiation (1),
keyEncipherment (2),
dataEncipherment (3),
keyAgreement (4),
keyCertSign (5),
cRLSign (6),
encipherOnly (7),
decipherOnly (8) }
Authority Key Identifier     # Subject Key Identifier     # Key Usage     # Private Key Usage Period     # Certificate Policies     # Policy Mappings
    # Subject Alternative Name     # Issuer Alternative Name     # Subject Directory Attributes     # Basic Constraints     # Name Constraints     # Policy Constraints
    # Extended Key Usage     # CRL Distribution Points     # Inhibit Any-Policy     # Freshest CRL     # Authority Information Access     # Subject Information Access

Private Key Usage Period Certificate Extension

  Up 
This extension SHOULD NOT be used within the Internet PKI. CAs conforming to this profile MUST NOT generate certificates that include a critical private key usage period extension. The private key usage period extension allows the certificate issuer to specify a different validity period for the private key than the certificate. This extension is intended for use with digital signature keys. This extension consists of two optional components, notBefore and notAfter. The private key associated with the certificate SHOULD NOT be used to sign objects before or after the times specified by the two components, respectively. CAs conforming to this profile MUST NOT generate certificates with private key usage period extensions unless at least one of the two components is present and the extension is non-critical.
id-ce-privateKeyUsagePeriodOBJECT IDENTIFIER ::= {   id-ce   16   }
PrivateKeyUsagePeriod::= SEQUENCE {
notBefore [0] GeneralizedTime OPTIONAL,
notAfter [1] GeneralizedTime OPTIONAL }
-- either notBefore or notAfter MUST be present
Authority Key Identifier     # Subject Key Identifier     # Key Usage     # Private Key Usage Period     # Certificate Policies     # Policy Mappings
    # Subject Alternative Name     # Issuer Alternative Name     # Subject Directory Attributes     # Basic Constraints     # Name Constraints     # Policy Constraints
    # Extended Key Usage     # CRL Distribution Points     # Inhibit Any-Policy     # Freshest CRL     # Authority Information Access     # Subject Information Access

Certificate Policies Certificate Extension

  Up 
The certificate policies extension contains a sequence of one or more policy information terms, each of which consists of an object identifier (OID) and optional qualifiers. In an end entity certificate, these policy information terms indicate the policy under which the certificate has been issued and the purposes for which the certificate may be used.
id-ce-certificatePoliciesOBJECT IDENTIFIER ::= {   id-ce   32   }
anyPolicyOBJECT IDENTIFIER ::= {   id-ce-certificatePolicies   0   }
id-qtOBJECT IDENTIFIER ::= {   id-pkix   2   }
id-qt-cpsOBJECT IDENTIFIER ::= {   id-qt   1   }
id-qt-unoticeOBJECT IDENTIFIER ::= {   id-qt   2   }
CertificatePolicies::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
PolicyInformation::= SEQUENCE {
policyIdentifier CertPolicyId,
policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL }
CertPolicyId::= OBJECT IDENTIFIER
PolicyQualifierInfo::= SEQUENCE {
policyQualifierId PolicyQualifierId,
qualifier ANY DEFINED BY policyQualifierId }
PolicyQualifierId::= OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
Authority Key Identifier     # Subject Key Identifier     # Key Usage     # Private Key Usage Period     # Certificate Policies     # Policy Mappings
    # Subject Alternative Name     # Issuer Alternative Name     # Subject Directory Attributes     # Basic Constraints     # Name Constraints     # Policy Constraints
    # Extended Key Usage     # CRL Distribution Points     # Inhibit Any-Policy     # Freshest CRL     # Authority Information Access     # Subject Information Access

Policy Mappings Certificate Extension

  Up 
This extension is used in CA certificates. It lists one or more pairs of OIDs; each pair includes an issuerDomainPolicy and a subjectDomainPolicy. The pairing indicates the issuing CA considers its issuerDomainPolicy equivalent to the subject CA's subjectDomainPolicy. This extension MAY be supported by CAs and/or applications, and it MUST be non-critical.
id-ce-policyMappingsOBJECT IDENTIFIER ::= {   id-ce   33   }
PolicyMappings::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
issuerDomainPolicy CertPolicyId,
subjectDomainPolicy CertPolicyId }
Authority Key Identifier     # Subject Key Identifier     # Key Usage     # Private Key Usage Period     # Certificate Policies     # Policy Mappings
    # Subject Alternative Name     # Issuer Alternative Name     # Subject Directory Attributes     # Basic Constraints     # Name Constraints     # Policy Constraints
    # Extended Key Usage     # CRL Distribution Points     # Inhibit Any-Policy     # Freshest CRL     # Authority Information Access     # Subject Information Access

Subject Alternative Name Certificate Extension

  Up 
The subject alternative names extension allows additional identities to be bound to the subject of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a uniform resource identifier (URI).
id-ce-subjectAltNameOBJECT IDENTIFIER ::= {   id-ce   17   }
SubjectAltName::= GeneralNames
GeneralNames::= SEQUENCE SIZE (1..MAX) OF GeneralName
GeneralName::= CHOICE {
otherName [0] AnotherName,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName [5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER }
AnotherName::= SEQUENCE {
type-id OBJECT IDENTIFIER,
value ANY DEFINED BY type-id }
Authority Key Identifier     # Subject Key Identifier     # Key Usage     # Private Key Usage Period     # Certificate Policies     # Policy Mappings
    # Subject Alternative Name     # Issuer Alternative Name     # Subject Directory Attributes     # Basic Constraints     # Name Constraints     # Policy Constraints
    # Extended Key Usage     # CRL Distribution Points     # Inhibit Any-Policy     # Freshest CRL     # Authority Information Access     # Subject Information Access

Issuer Alternative Name Certificate Extension

  Up 
As with Subject Alternative Name, this extension is used to associate Internet style identities with the certificate issuer. Where present, this extension SHOULD NOT be marked critical.
id-ce-issuerAltNameOBJECT IDENTIFIER ::= {   id-ce   18   }
IssuerAltName::= GeneralNames
Authority Key Identifier     # Subject Key Identifier     # Key Usage     # Private Key Usage Period     # Certificate Policies     # Policy Mappings
    # Subject Alternative Name     # Issuer Alternative Name     # Subject Directory Attributes     # Basic Constraints     # Name Constraints     # Policy Constraints
    # Extended Key Usage     # CRL Distribution Points     # Inhibit Any-Policy     # Freshest CRL     # Authority Information Access     # Subject Information Access

Subject Directory Attributes Certificate Extension

  Up 
The subject directory attributes extension is used to convey identification attributes (e.g., nationality) of the subject. This extension MUST be non-critical.
id-ce-subjectDirectoryAttributesOBJECT IDENTIFIER ::= {   id-ce   9   }
SubjectDirectoryAttributes::= SEQUENCE SIZE (1..MAX) OF Attribute
Authority Key Identifier     # Subject Key Identifier     # Key Usage     # Private Key Usage Period     # Certificate Policies     # Policy Mappings
    # Subject Alternative Name     # Issuer Alternative Name     # Subject Directory Attributes     # Basic Constraints     # Name Constraints     # Policy Constraints
    # Extended Key Usage     # CRL Distribution Points     # Inhibit Any-Policy     # Freshest CRL     # Authority Information Access     # Subject Information Access

Basic Constraints Certificate Extension

  Up 
The basic constraints extension identifies whether the subject of the certificate is a CA and the maximum depth of valid certification paths that include this certificate.
id-ce-basicConstraintsOBJECT IDENTIFIER ::= {   id-ce   19   }
BasicConstraints::= SEQUENCE {
cA BOOLEAN DEFAULT FALSE,
pathLenConstraint INTEGER (0..MAX) OPTIONAL }
Authority Key Identifier     # Subject Key Identifier     # Key Usage     # Private Key Usage Period     # Certificate Policies     # Policy Mappings
    # Subject Alternative Name     # Issuer Alternative Name     # Subject Directory Attributes     # Basic Constraints     # Name Constraints     # Policy Constraints
    # Extended Key Usage     # CRL Distribution Points     # Inhibit Any-Policy     # Freshest CRL     # Authority Information Access     # Subject Information Access

Name Constraints Certificate Extension

  Up 
The name constraints extension, which MUST be used only in a CA certificate, indicates a name space within which all subject names in subsequent certificates in a certification path MUST be located.
id-ce-nameConstraintsOBJECT IDENTIFIER ::= {   id-ce   30   }
NameConstraints::= SEQUENCE {
permittedSubtrees [0] GeneralSubtrees OPTIONAL,
excludedSubtrees [1] GeneralSubtrees OPTIONAL }
GeneralSubtrees::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
GeneralSubtree::= SEQUENCE {
base GeneralName,
minimum [0] BaseDistance DEFAULT 0,
maximum [1] BaseDistance OPTIONAL }
BaseDistance::= INTEGER (0..MAX)
Authority Key Identifier     # Subject Key Identifier     # Key Usage     # Private Key Usage Period     # Certificate Policies     # Policy Mappings
    # Subject Alternative Name     # Issuer Alternative Name     # Subject Directory Attributes     # Basic Constraints     # Name Constraints     # Policy Constraints
    # Extended Key Usage     # CRL Distribution Points     # Inhibit Any-Policy     # Freshest CRL     # Authority Information Access     # Subject Information Access

Policy Constraints Certificate Extension

  Up 
The policy constraints extension can be used in certificates issued to CAs. The policy constraints extension constrains path validation in two ways. It can be used to prohibit policy mapping or require that each certificate in a path contain an acceptable policy identifier. This extension MAY be critical or non-critical.
id-ce-policyConstraintsOBJECT IDENTIFIER ::= {   id-ce   36   }
PolicyConstraints::= SEQUENCE {
requireExplicitPolicy [0] SkipCerts OPTIONAL,
inhibitPolicyMapping [1] SkipCerts OPTIONAL }
SkipCerts::= INTEGER (0..MAX)
Authority Key Identifier     # Subject Key Identifier     # Key Usage     # Private Key Usage Period     # Certificate Policies     # Policy Mappings
    # Subject Alternative Name     # Issuer Alternative Name     # Subject Directory Attributes     # Basic Constraints     # Name Constraints     # Policy Constraints
    # Extended Key Usage     # CRL Distribution Points     # Inhibit Any-Policy     # Freshest CRL     # Authority Information Access     # Subject Information Access

Extended Key Usage Certificate Extension

  Up 
This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension. In general, this extension will appear only in end entity certificates. This extension MAY, at the option of the certificate issuer, be either critical or non-critical.
id-ce-extKeyUsageOBJECT IDENTIFIER ::= {   id-ce   37   }
ExtKeyUsageSyntax::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
KeyPurposeId::= OBJECT IDENTIFIER
Authority Key Identifier     # Subject Key Identifier     # Key Usage     # Private Key Usage Period     # Certificate Policies     # Policy Mappings
    # Subject Alternative Name     # Issuer Alternative Name     # Subject Directory Attributes     # Basic Constraints     # Name Constraints     # Policy Constraints
    # Extended Key Usage     # CRL Distribution Points     # Inhibit Any-Policy     # Freshest CRL     # Authority Information Access     # Subject Information Access

CRL Distribution Points Certificate Extension

  Up 
The CRL distribution points extension identifies how CRL information is obtained.
id-ce-cRLDistributionPointsOBJECT IDENTIFIER ::= {   id-ce   31   }
CRLDistributionPoints::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
DistributionPoint::= SEQUENCE {
distributionPoint [0] DistributionPointName OPTIONAL,
reasons [1] ReasonFlags OPTIONAL,
cRLIssuer [2] GeneralNames OPTIONAL }
DistributionPointName::= CHOICE {
fullName [0] GeneralNames,
nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
ReasonFlags::= BIT STRING {
unused (0),
keyCompromise (1),
cACompromise (2),
affiliationChanged (3),
superseded (4),
cessationOfOperation (5),
certificateHold (6),
privilegeWithdrawn (7),
aACompromise (8) }
Authority Key Identifier     # Subject Key Identifier     # Key Usage     # Private Key Usage Period     # Certificate Policies     # Policy Mappings
    # Subject Alternative Name     # Issuer Alternative Name     # Subject Directory Attributes     # Basic Constraints     # Name Constraints     # Policy Constraints
    # Extended Key Usage     # CRL Distribution Points     # Inhibit Any-Policy     # Freshest CRL     # Authority Information Access     # Subject Information Access

Inhibit Any-Policy Certificate Extension

  Up 
The inhibit any-policy extension can be used in certificates issued to CAs. The inhibit any-policy indicates that the special anyPolicy OID, with the value { 2 5 29 32 0 }, is not considered an explicit match for other certificate policies. The value indicates the number of additional certificates that may appear in the path before anyPolicy is no longer permitted. For example, a value of one indicates that anyPolicy may be processed in certificates issued by the subject of this certificate, but not in additional certificates in the path. This extension MUST be critical.
id-ce-inhibitAnyPolicyOBJECT IDENTIFIER ::= {   id-ce   54   }
InhibitAnyPolicy::= SkipCerts
Authority Key Identifier     # Subject Key Identifier     # Key Usage     # Private Key Usage Period     # Certificate Policies     # Policy Mappings
    # Subject Alternative Name     # Issuer Alternative Name     # Subject Directory Attributes     # Basic Constraints     # Name Constraints     # Policy Constraints
    # Extended Key Usage     # CRL Distribution Points     # Inhibit Any-Policy     # Freshest CRL     # Authority Information Access     # Subject Information Access

Freshest CRL (a.k.a. Delta CRL Distribution Point) Certificate Extension

  Up 
The freshest CRL extension identifies how delta CRL information is obtained. The extension MUST be non-critical.
id-ce-freshestCRLOBJECT IDENTIFIER ::= {   id-ce   46   }
FreshestCRL::= CRLDistributionPoints
Authority Key Identifier     # Subject Key Identifier     # Key Usage     # Private Key Usage Period     # Certificate Policies     # Policy Mappings
    # Subject Alternative Name     # Issuer Alternative Name     # Subject Directory Attributes     # Basic Constraints     # Name Constraints     # Policy Constraints
    # Extended Key Usage     # CRL Distribution Points     # Inhibit Any-Policy     # Freshest CRL     # Authority Information Access     # Subject Information Access

Authority Information Access Certificate Extension

  Up 
The authority information access extension indicates how to access CA information and services for the issuer of the certificate in which the extension appears. Information and services may include on-line validation services and CA policy data. This extension may be included in end entity or CA certificates, and it MUST be non-critical.
id-pe-authorityInfoAccessOBJECT IDENTIFIER ::= {   id-pe   1   }
AuthorityInfoAccessSyntax::= SEQUENCE SIZE (1..MAX) OF AccessDescription
AccessDescription::= SEQUENCE {
accessMethod OBJECT IDENTIFIER,
accessLocation GeneralName }
id-adOBJECT IDENTIFIER ::= {   id-pkix   48   }
id-ad-caIssuersOBJECT IDENTIFIER ::= {   id-ad   2   }
id-ad-ocspOBJECT IDENTIFIER ::= {   id-ad   1   }
Authority Key Identifier     # Subject Key Identifier     # Key Usage     # Private Key Usage Period     # Certificate Policies     # Policy Mappings
    # Subject Alternative Name     # Issuer Alternative Name     # Subject Directory Attributes     # Basic Constraints     # Name Constraints     # Policy Constraints
    # Extended Key Usage     # CRL Distribution Points     # Inhibit Any-Policy     # Freshest CRL     # Authority Information Access     # Subject Information Access

Subject Information Access Certificate Extension

  Up 
The subject information access extension indicates how to access information and services for the subject of the certificate in which the extension appears. When the subject is a CA, information and services may include certificate validation services and CA policy data. When the subject is an end entity, the information describes the type of services offered and how to access them. In this case, the contents of this extension are defined in the protocol specifications for the suported services. This extension may be included in subject or CA certificates, and it MUST be non-critical.
id-pe-subjectInfoAccessOBJECT IDENTIFIER ::= {   id-pe   11   }
SubjectInfoAccessSyntax::= SEQUENCE SIZE (1..MAX) OF AccessDescription
Top Certificate  Certificate Extensions  CRL  CRL Extensions
CRL Entry Extensions  Naming  Algorithm Identifiers

ASN.1 for Certificate Revocation List

CertificateList::= SEQUENCE {
tbsCertList TBSCertList,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING }
TBSCertList::= SEQUENCE {
version Version OPTIONAL,
   -- if present, MUST be v2
signature AlgorithmIdentifier,
issuer Name,
thisUpdate Time,
nextUpdate Time OPTIONAL,
revokedCertificates SEQUENCE OF SEQUENCE {
userCertificate CertificateSerialNumber,
revocationDate Time,
crlEntryExtensions Extensions OPTIONAL
   -- if present, MUST be v2
} OPTIONAL,
crlExtensions [0] EXPLICIT Extensions OPTIONAL }
   -- if present, MUST be v2
Top Certificate  Certificate Extensions  CRL  CRL Extensions
CRL Entry Extensions  Naming  Algorithm Identifiers

ASN.1 for CRL Extensions

CRL Number     # Delta CRL Indicator     # Issuing Distribution Point

CRL Number  CRL Extension

  Up 
The CRL number is a CRL extension which conveys a monotonically increasing sequence number for a given CRL scope and CRL issuer. This extension allows users to easily determine when a particular CRL supersedes another CRL. This extension is non-critical.
id-ce-cRLNumberOBJECT IDENTIFIER ::= {   id-ce   20   }
CRLNumber::= INTEGER (0..MAX)
CRL Number     # Delta CRL Indicator     # Issuing Distribution Point

Delta CRL Indicator  CRL Extension

  Up 
The delta CRL indicator is a CRL extension that identifies a CRL as being a delta CRL. Delta CRLs contain updates to revocation information previously distributed, rather than all the information that would appear in a complete CRL. This extension is critical.
id-ce-deltaCRLIndicatorOBJECT IDENTIFIER ::= {   id-ce   27   }
BaseCRLNumber::= CRLNumber
CRL Number     # Delta CRL Indicator     # Issuing Distribution Point

Issuing Distribution Point  CRL Extension

  Up 
The issuing distribution point is a CRL extension that identifies the CRL distribution point and scope for a particular CRL, and it indicates whether the CRL covers revocation for end entity certificates only, CA certificates only, attribute certificates only, or a limited set of reason codes. Although the extension is critical, conforming implementations are not required to support this extension.
id-ce-issuingDistributionPointOBJECT IDENTIFIER ::= {   id-ce   28   }
issuingDistributionPoint::= SEQUENCE {
distributionPoint [0] DistributionPointName OPTIONAL,
onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
onlySomeReasons [3] ReasonFlags OPTIONAL,
indirectCRL [4] BOOLEAN DEFAULT FALSE,
onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE }
Top Certificate  Certificate Extensions  CRL  CRL Extensions
CRL Entry Extensions  Naming  Algorithm Identifiers

ASN.1 for CRL Entry Extensions

Reason Code     # Hold Instruction Code     # Invalidity Date     # Certificate Issuer

Reason Code  CRL Entry Extension

  Up 
The reasonCode is a CRL entry extension that identifies the reason for the certificate revocation. This extension is non-critical.
id-ce-cRLReasonOBJECT IDENTIFIER ::= {   id-ce   21   }
CRLReason::= ENUMERATED {
unspecified (0),
keyCompromise (1),
cACompromise (2),
affiliationChanged (3),
superseded (4),
cessationOfOperation (5),
certificateHold (6),
removeFromCRL (8),
privilegeWithdrawn (9),
aACompromise (10) }
Reason Code     # Hold Instruction Code     # Invalidity Date     # Certificate Issuer

Hold Instruction Code  CRL Entry Extension

  Up 
The hold instruction code is a CRL entry extension that provides a registered instruction identifier which indicates the action to be taken after encountering a certificate that has been placed on hold. This extension is non-critical.
id-ce-holdInstructionCodeOBJECT IDENTIFIER ::= {   id-ce   23   }
holdInstructionCode::= OBJECT IDENTIFIER
holdInstructionOBJECT IDENTIFIER ::= {   iso(1)   member-body(2)   us(840)   x9-57(10040)   2   }
id-holdinstruction-noneOBJECT IDENTIFIER ::= {   holdInstruction   1   }
id-holdinstruction-callissuerOBJECT IDENTIFIER ::= {   holdInstruction   2   }
id-holdinstruction-reject OBJECT IDENTIFIER ::= {   holdInstruction   3   }
Reason Code     # Hold Instruction Code     # Invalidity Date     # Certificate Issuer

Invalidity Date  CRL Entry Extension

  Up 
The invalidity date is a non-critical CRL entry extension that provides the date on which it is known or suspected that the private key was compromised or that the certificate otherwise became invalid. This extension is non-critical.
id-ce-id-ce-invalidityDateOBJECT IDENTIFIER ::= {   id-ce   24   }
invalidityDate::= GeneralizedTime
Reason Code     # Hold Instruction Code     # Invalidity Date     # Certificate Issuer

Certificate Issuer  CRL Entry Extension

  Up 
This CRL entry extension identifies the certificate issuer associated with an entry in an indirect CRL, that is, a CRL that has the indirectCRL indicator set in its issuing distribution point extension. This extension MUST always be critical.
id-ce-certificateIssuerOBJECT IDENTIFIER ::= {   id-ce   29   }
certificateIssuer::= GeneralNames
Top Certificate  Certificate Extensions  CRL  CRL Extensions
CRL Entry Extensions  Naming  Algorithm Identifiers

ASN.1 for Naming

Name::= CHOICE { -- only one possibility for now --
rdnSequence RDNSequence }
RDNSequence::= SEQUENCE OF RelativeDistinguishedName
DistinguishedName::= RDNSequence
RelativeDistinguishedName::= SET SIZE (1 .. MAX) OF AttributeTypeAndValue
AttributeTypeAndValue::= SEQUENCE {
type AttributeType,
value AttributeValue }
AttributeType::= OBJECT IDENTIFIER
AttributeValue::= ANY
Top Certificate  Certificate Extensions  CRL  CRL Extensions
CRL Entry Extensions  Naming  Algorithm Identifiers

ASN.1 for Algorithm Identifiers

AlgorithmIdentifier::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL }
   -- contains a value of the type
   -- registered for use with the
   -- algorithm object identifier value

One-way Hash Functions  Algorithm Identifiers

  Up 
md2OBJECT IDENTIFIER ::= {
   iso(1)   member-body(2)   us(840)   rsadsi(113549)   digestAlgorithm(2)   2
}
md5OBJECT IDENTIFIER ::= {
   iso(1)   member-body(2)   us(840)   rsadsi(113549)   digestAlgorithm(2)   5
}
id-sha1OBJECT IDENTIFIER ::= {
   iso(1)   identified-organization(3)   oiw(14)   secsig(3)   algorithms(2)   26
}

DSA Keys and Signatures  Algorithm Identifiers

  Up 
-- OID for DSA public key
id-dsaOBJECT IDENTIFIER ::= {
   iso(1)   member-body(2)   us(840)   x9-57(10040)   x9algorithm(4)   1
}
-- encoding for DSA public key
DSAPublicKey::= INTEGER -- public key, y
Dss-Parms::= SEQUENCE {
p INTEGER,
q INTEGER,
g INTEGER }
-- OID for DSA signature generated with SHA-1 hash
id-dsa-with-sha1OBJECT IDENTIFIER ::= {
   iso(1)   member-body(2)   us(840)   x9-57(10040)   x9algorithm(4)   3
}
-- encoding for DSA signature generated with SHA-1 hash
Dss-Sig-Value::= SEQUENCE {
r INTEGER,
s INTEGER }

RSA Keys and Signatures  Algorithm Identifiers

  Up 
-- arc for RSA public key and RSA signature OIDs
pkcs-1OBJECT IDENTIFIER ::= {
   iso(1)   member-body(2)   us(840)   rsadsi(113549)   pkcs(1)   1
}
-- OID for RSA public keys
rsaEncryptionOBJECT IDENTIFIER ::= {
   pkcs-1   1
}
-- OID for RSA signature generated with MD2 hash
md2WithRSAEncryptionOBJECT IDENTIFIER ::= {
   pkcs-1   2
}
-- OID for RSA signature generated with MD5 hash
md5WithRSAEncryptionOBJECT IDENTIFIER ::= {
   pkcs-1   4
}
-- OID for RSA signature generated with SHA-1 hash
sha1WithRSAEncryptionOBJECT IDENTIFIER ::= {
   pkcs-1   5
}
-- encoding for RSA public key
RSAPublicKey::= SEQUENCE {
modulus INTEGER, -- n
publicExponent INTEGER } -- e

Diffie-Hellman Keys  Algorithm Identifiers

  Up 
dhpublicnumberOBJECT IDENTIFIER ::= {
   iso(1)   member-body(2)   us(840)   ansi-x942(10046)   number-type(2)   1
}
-- encoding for DH public key
DHPublicKey::= INTEGER -- public key, y = g^x mod p
DomainParameters::= SEQUENCE {
p INTEGER, -- odd prime, p=jq +1
g INTEGER, -- generator, g
q INTEGER, -- factor of p-1
j INTEGER OPTIONAL,-- subgroup factor, j>= 2
validationParms ValidationParms OPTIONAL }
ValidationParms::= SEQUENCE {
seed BIT STRING,
pgenCounter INTEGER }

KEA Keys  Algorithm Identifiers

  Up 
keyExchangeAlgorithmOBJECT IDENTIFIER ::= {
   2   16   840   1   101   2   1   1   22
}
KEA-Parms-Id::= OCTET STRING

Elliptic Curve Keys, Signatures, and Curves  Algorithm Identifiers

  Up