X500Standard.com
The website of the X.500 Directory standard
X.500 Standard status
(Implementors' Guide)
- Introduction
- Standardization Procedures
- X.500 Document Structure
- X.500 docs not freely available
- X.500 docs freely available
- Current ASN.1 modules
- X.500 extension (excl. X.509)
- F.5xx - Tag-based service
- Submit a Defect Report
- Defect Reports
- Draft Tech Corrigenda
- Upcoming Meetings
- Meeting Reports
- A little history
X.509 Related activities
- X.509 extensions
- General on PKI usages
- Key Management
- Wireless PKI (WPKI)
- M2M and PKI
- Cloud Computing and PKI
- Smart Grid and PKI
How to be involved
More Information
Tutorial section 1
X.500 General
- The X.500 Directory
- Relationship with LDAP
- Information structure & names
- X.500 protocols
- X.500 operations
- Navigation
- Directory Schema
- Access Control
- Replication (Shadowing)
- Families of Entries
- Hierarchical Groups
- Mapping Based Searches
- X.500 Service Concept
- X.500 Service Administration
- Data Privacy Protection
- ISSS Schema
Tutorial section 2
X.509 specific
- X.509 Introduction
- Public-key Certificates
- Public-Key Infrastructure (PKI)
- X.509 Extentions
- Protecting a directory
X.509 at work
Search
X.509 Extensions
An X.509 v3 certificate contains an extension field that permits any number of additional fields to be added to the certificate. Certificate extensions provide a way of adding information such as alternative subject names and usage restrictions to certificates.
Figure 1 - Extension structure
The structure is shown in figure 1. An extension consists of the following components:
- An object identifier that identifies the type of extension.
- A flag that indicates whether the extension is critical, that is that the extensions holds vital information. In this case, a relying party shall consider a certificate invalid if it does not recognise the extension, i.e., it has no support for the extension. If an extension is labels non-critical, it can be ignored if not understood.
- The actual extension field
Subject alternative name extension
The Subject Alternative Name extension includes one or more alternative names for the identity bound by the CA to the certified public key. It may be used in addition to the certificate's subject name or as a replacement for it.
The extension allows multiple alternative names to be defined.
The following ASN.1 data type defines the possible names.
GeneralName ::= CHOICE {
otherName [0] INSTANCE OF OTHER-NAME, rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName [5] EDIPartyName, uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID [8] OBJECT IDENTIFIER }
Extended key usage extension
Reason code extension
The Reason Code extension identifies the reason for certificate revocation.
Invalid date extension
Certificate issuer extension
The Certificate Issuer extension identifies the certificate issuer associated with an entry in an indirect CRL.
This extension is used only with indirect CRLs, which are not supported by the Certificate System.