--- title: Certificate extensions description: Extensions provide additional context for a certificate. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_security_guide:pd_sec_cert_extensions canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_security_guide/pd_sec_cert_extensions.html revdate: September 13, 2023 --- # Certificate extensions Extensions provide additional context for a certificate. There are several types of extensions, but some of the most common include. | Extension | Description | | ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Subject key identifier | Holds a unique identifier for the certificate, which is generally derived from the certificate's public key. | | Authority key identifier | Holds the subject key identifier for the issuer certificate. It can help identify the issuer certificate, especially when presented with an incomplete certificate chain. | | Subject alternative name | Holds a list of ways that clients are expected to reference a server when establishing a connection to it. Clients should take this information into account when deciding whether to trust a server's certificate. There are several types of values, but the most common are DNS names, IP addresses, and URIs. DNS names should be fully qualified, but can optionally use an asterisk in the leftmost component to match any single name in that component, For example, "\*.example.com" could match "www\.example.com" or "ldap.example.com", but would not match "ldap.east.example.com" or "example.com". | | Key usage | Provides information about the way in which the certificate is expected to be used. Allowed key usages include:- digitalSignature Indicates that the certificate can be used for digitally signing data, excluding certificates and CRLs. - nonRepudiation (also known as contentCommitment) Indicates that the certificate can be used to prevent denying the authenticity of a message. - keyEncipherment Indicates that the certificate can be used to protect encryption keys, such as symmetric keys derived during TLS key agreement. - keyAgreement Indicates that the certificate's public key can be used for key agreement, such as deriving the symmetric key used to protect TLS communication. - keyCertSign Indicates that the certificate can be used for signing other certificates. For example, it can act as a certification authority. - cRLSign Indicates that the certificate can be used to sign certificate revocation lists (CRLs). - encipherOnly When used in conjunction with the keyEncipherment usage, this indicates that the public key can only be used for encrypting data during key agreement. - decipherOnly When used in conjunction with the keyEncipherment usage, this indicates that the public key can only be used for decrypting data during key agreement | | Extended key usage | Acts as an alternative to the key usage extension and provides additional high-level functionality. Allowed extended key usages include:- serverAuth Indicates that the server might present the certificate to the client during TLS negotiation. - clientAuth Indicates that the client might present the certificate to the server during TLS negotiation. - codeSigning Indicates that the certificate can be used to sign source and compiled code. - emailProtection Indicates that the certificate can be used to sign or encrypt email messages. - timeStamping Indicates that the certificate can be used to assert the time that an event occurred. - ocspSigning Indicates that the certificate can be used to sign an OCSP (online certificate status protocol) response. | | Basic constraints | Indicates whether the certificate can act as a certification authority and, if so, the maximum number of intermediate certificates that might appear beneath it in a certificate chain. |