[DOCUMENT TOP] / [TESTCASE MANAGER]
To add an extension check the check box on the left of its extension name and fill value then register it.
To add private X.509 extension in the certificate and CRL editor check checkbox and fill private extension form as following figure. The form consists of a object identifier of the extension, critical flag and extension value which should not be encapsulated with 'OCTET STRING'.
In this figure the extension value described in a hexadecimal string '0c026666' which means the following ASN.1 structure.
0c UTF8STRING 02 length=2 6666 string 'ff'
You'll get the ASN.1 structure in the certificate like this.
SEQUENCE { OBJECT IDENTIFIER '1 2 3' BOOLEAN TRUE OCTET STRING, encapsulates { UTF8String 'ff' } }
You can specify keyIdentifier with any hexadecimal string with any calculation method. However to copy and paste the keyIdentifer value from keypair editor in order to enter correct keyIdenter you may tire out. When you fill '%%AUTO%%' in the keyIdentifier field correct keyIdentifer value will set in your certificate or CRL.
You can specify validity date relatively with '%%NOW%%' keyword. This macro has following forms.
%%NOW%% # current time %%NOW-nDAYS%% # n days before from now %%NOW+nDAYS%% # n days after from now
You will find 'Order' field in certificate editor or CRL editor. With this test suite, you can specify the ordering of SEQUENCE. For example, the following is the definition of 'SubjetAltName'. 'SubjectAltName' is a sequence of 'GeneralName'. 'GeneralName' may be selected from 'rfc822Name', 'directoryName', et.al.
SubjectAltName ::= GeneralNames GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName GeneralName ::= CHOICE { otherName [0] OtherName, rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName [5] EDIPartyName, uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID [8] OBJECT IDENTIFIER }In 'certificate editor', you can choose from 'rfc822Name', 'dNSName', 'directoryName' or 'iPAddress'. If you want to specify that the first is 'iPAddress' and the second is 'dNSName' in the sequence, set order value to '1' for 'iPAddress', '2' for 'dNSName', 'None' for 'rfc822Name' and 'directoryName'.
You can specify the ordering in the following extensions.
Certificate subjectAltNamae Certificate issuerAltNamae Certificate cRLDistributionPoints CRL issuerAltNamae CRL issuingDistributionPoint
In order to comform to RFC3280, non negative value should be specified as serialNumber value when combo box is 'dec' or the hexadecimal string should begin with a character between '0' and '7' when combo box is 'hex'.
attribute | RFC3280 profile | |
---|---|---|
serialNumber | MUST | non-negative, up to 20 octets |
cRLNumber | MUST | up to 20 octets |
Of cource this test suite can issue the certificates which is not conform to RFC3280 such as the value longer than 20 octet length or negative integer value. See the following example.
serialNumber value CONFORMED TO RFC3280 hex:12345678 (begin with 0-7) hex:0102030405060708090001020304050607080900 (strlen=40 i.e. 20 octet) dec:123 serialNumber value NOT CONFORMED TO RFC3280 hex:82345678 (begin with 8-f i.e. negative value) hex:0102030405060708090001020304050607080900ff (strlen=42) dec:-1234