Entrust provides the intermediate-ca-subord profile for intermediate Certificate Authorities.
This profile is not exposed nor configurable. External root CAs are not covered by this profile.
See below a description of this profile.
Certificate fields
The authority basic profiles set the following certificate fields.
Field | intermediate-ca-subord |
|---|---|
Issuer | Customer's online root CA |
Subject | No constraint |
Validity period | Less than or equal to 10 years. The subordinate expiry cannot exceed the parent validity. |
Certificate critical extensions
The authority basic profiles set the following certificate critical extensions.
Extension | intermediate-ca-subord |
|---|---|
Basic Constraints | cA=True, pathLenConstraint=None |
Extended Key Usage | Never present |
Key Usage | digitalSignature, keyCertSign, cRLSign |
Certificate non-critical extensions
The authority basic profiles set the following non-critical certificate extensions.
Extension | intermediate-ca-subord |
|---|---|
AIA | Supplied when the customer enables OCSP on CA creation |
Authority Key Identifier | Matches subjectKeyIdentifier of the signing certificate |
CRL Distribution Points | Always present |
OCSP | Never present |
Subject Key Identifier | «The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2 |