Extensions provide additional context for a certificate.
There are several types of extensions, but some of the most common include.
Extension | Description |
---|---|
Subject key identifier |
Holds a unique identifier for the certificate, which is generally derived from the certificate’s public key. |
Authority key identifier |
Holds the subject key identifier for the issuer certificate. It can help identify the issuer certificate, especially when presented with an incomplete certificate chain. |
Subject alternative name |
Holds a list of ways that clients are expected to reference a server when establishing a connection to it. Clients should take this information into account when deciding whether to trust a server’s certificate. There are several types of values, but the most common are DNS names, IP addresses, and URIs. Note:
DNS names should be fully qualified, but can optionally use an asterisk in the leftmost component to match any single name in that component, For example, “*.example.com” could match “www.example.com” or “ldap.example.com”, but would not match “ldap.east.example.com” or “example.com”. |
Key usage |
Provides information about the way in which the certificate is expected to be used. Allowed key usages include:
|
Extended key usage |
Acts as an alternative to the key usage extension and provides additional high-level functionality. Allowed extended key usages include:
|
Basic constraints |
Indicates whether the certificate can act as a certification authority and, if so, the maximum number of intermediate certificates that might appear beneath it in a certificate chain. |