3.3.2. Certificate, CRL and OCSP response

[DOCUMENT TOP] / [TESTCASE MANAGER] Adding well known X.509 extensions

To add an extension check the check box on the left of its extension name and fill value then register it. Adding X.509 private extension

To add private X.509 extension in the certificate and CRL editor check checkbox and fill private extension form as following figure. The form consists of a object identifier of the extension, critical flag and extension value which should not be encapsulated with 'OCTET STRING'.

In this figure the extension value described in a hexadecimal string '0c026666' which means the following ASN.1 structure.


02	length=2

6666	string 'ff'

You'll get the ASN.1 structure in the certificate like this.




  OCTET STRING, encapsulates {

    UTF8String 'ff'


  } Macro in the 'authorityKeyIdentifier' and 'subjectKeyIdentifier' extensions

You can specify keyIdentifier with any hexadecimal string with any calculation method. However to copy and paste the keyIdentifer value from keypair editor in order to enter correct keyIdenter you may tire out. When you fill '%%AUTO%%' in the keyIdentifier field correct keyIdentifer value will set in your certificate or CRL. Macro in the validity

You can specify validity date relatively with '%%NOW%%' keyword. This macro has following forms.

%%NOW%%			# current time

%%NOW-nDAYS%%		# n days before from now

%%NOW+nDAYS%%		# n days after from now Sequence ordering

You will find 'Order' field in certificate editor or CRL editor. With this test suite, you can specify the ordering of SEQUENCE. For example, the following is the definition of 'SubjetAltName'. 'SubjectAltName' is a sequence of 'GeneralName'. 'GeneralName' may be selected from 'rfc822Name', 'directoryName', et.al.

   SubjectAltName ::= GeneralNames

   GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

   GeneralName ::= CHOICE {

        otherName                       [0]     OtherName,

        rfc822Name                      [1]     IA5String,

        dNSName                         [2]     IA5String,

        x400Address                     [3]     ORAddress,

        directoryName                   [4]     Name,

        ediPartyName                    [5]     EDIPartyName,

        uniformResourceIdentifier       [6]     IA5String,

        iPAddress                       [7]     OCTET STRING,

        registeredID                    [8]     OBJECT IDENTIFIER }

In 'certificate editor', you can choose from 'rfc822Name', 'dNSName', 'directoryName' or 'iPAddress'. If you want to specify that the first is 'iPAddress' and the second is 'dNSName' in the sequence, set order value to '1' for 'iPAddress', '2' for 'dNSName', 'None' for 'rfc822Name' and 'directoryName'.

You can specify the ordering in the following extensions.

Certificate	subjectAltNamae

Certificate	issuerAltNamae

Certificate	cRLDistributionPoints

CRL		issuerAltNamae

CRL		issuingDistributionPoint serialNumber and cRLNumber issue

In order to comform to RFC3280, non negative value should be specified as serialNumber value when combo box is 'dec' or the hexadecimal string should begin with a character between '0' and '7' when combo box is 'hex'.

attributeRFC3280 profile
serialNumberMUSTnon-negative, up to 20 octets
cRLNumberMUSTup to 20 octets

Of cource this test suite can issue the certificates which is not conform to RFC3280 such as the value longer than 20 octet length or negative integer value. See the following example.

serialNumber value CONFORMED TO RFC3280

  hex:12345678 (begin with 0-7)

  hex:0102030405060708090001020304050607080900 (strlen=40 i.e. 20 octet)


serialNumber value NOT CONFORMED TO RFC3280

  hex:82345678 (begin with 8-f i.e. negative value)

  hex:0102030405060708090001020304050607080900ff (strlen=42)


JNSA/IPA Challenge PKI Test Suite