x509 extensions in other CAs
This page documents the x509 extensions (e.g. for CRLs, etc.) set by other CAs. The information
here is used by django-ca to initialize and sign certificate authorities and certificates.
Helpful descriptions of the meaning of various extensions can also be found in
x509v3_config(5SSL) (online).
Subject
In CA certificates
CA |
Subject |
Comodo |
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority |
Comodo DV |
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA |
Comodo EV |
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Extended Validation Secure Server CA |
DST X3 |
/O=Digital Signature Trust Co./CN=DST Root CA X3 |
DigiCert EV Root |
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA |
DigiCert Global Root |
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA |
DigiCert HA Intermediate |
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA |
DigiCert Secure Server |
/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA |
GeoTrust |
/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA |
GlobalSign |
/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA |
GlobalSign DV |
/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2 |
GlobalSign R2 |
/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign |
Go Daddy G2 |
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 |
Go Daddy G2 Intermediate |
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 |
Google G3 |
/C=US/O=Google Trust Services/CN=Google Internet Authority G3 |
IdenTrust |
/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1 |
Let’s Encrypt X1 |
/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X1 |
Let’s Encrypt X3 |
/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3 |
RapidSSL G3 |
/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3 |
StartSSL |
/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority |
StartSSL class 2 |
/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 3 OV Server CA |
StartSSL class 2 |
/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA |
TrustID Server A52 |
/C=US/O=IdenTrust/OU=TrustID Server/CN=TrustID Server CA A52 |
In signed certificates
Certificate |
Subject |
Comodo DV |
/OU=Domain Control Validated/OU=PositiveSSL/CN=kode.im |
Comodo EV |
/serialNumber=3910805/jurisdictionCountryName=US/jurisdictionStateOrProvinceName=Delaware/businessCategory=Private Organization/C=US/postalCode=07013/ST=New Jersey/L=Clifton/streetAddress=Suite 100/streetAddress=1255 Broad St/O=Comodo Security Solutions, Inc./OU=COMODO EV SSL/CN=www.comodo.com |
DigiCert HA Intermediate |
/C=US/ST=California/L=Sunnyvale/O=Oath Inc/CN=*.www.yahoo.com |
DigiCert Secure Server |
/C=AT/L=Vienna/O=Standard Verlagsgesellschaft m.b.H./OU=IT/CN=www.derstandard.at |
GlobalSign DV |
/OU=Domain Control Validated/CN=www.ajabber.me |
Go Daddy G2 Intermediate |
/OU=Domain Control Validated/CN=derstandard.at |
Google G3 |
/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com |
Let’s Encrypt X1 |
/CN=id.er.tl |
Let’s Encrypt X3 |
/CN=jabber.at |
RapidSSL G3 |
/OU=GT12798798/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=*.jabber.de |
StartSSL class 2 |
/C=AT/ST=Wien/L=Wien/O=Mathias Ertl/CN=www.fsinf.at/emailAddress=hostmaster@fsinf.at |
StartSSL class 3 |
/C=AT/ST=Wien/L=Wien/O=Adspired Technologies GmbH/CN=adverity.com |
TrustID Server A52 |
/CN=identrust.com/O=IDENTRUST SERVICES LLC/L=Salt Lake City/ST=Utah/C=US |
Issuer
The issuer is an X509 Name naming who signed the certificate. For root CAs, the
issuer has the same value as the subject.
In CA certificates
CA |
Issuer |
Comodo |
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority |
Comodo DV |
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority |
Comodo EV |
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority |
DST X3 |
/O=Digital Signature Trust Co./CN=DST Root CA X3 |
DigiCert EV Root |
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA |
DigiCert Global Root |
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA |
DigiCert HA Intermediate |
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA |
DigiCert Secure Server |
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA |
GeoTrust |
/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA |
GlobalSign |
/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA |
GlobalSign DV |
/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA |
GlobalSign R2 |
/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign |
Go Daddy G2 |
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 |
Go Daddy G2 Intermediate |
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 |
Google G3 |
/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign |
IdenTrust |
/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1 |
Let’s Encrypt X1 |
/O=Digital Signature Trust Co./CN=DST Root CA X3 |
Let’s Encrypt X3 |
/O=Digital Signature Trust Co./CN=DST Root CA X3 |
RapidSSL G3 |
/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA |
StartSSL |
/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority |
StartSSL class 2 |
/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority |
StartSSL class 2 |
/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority |
TrustID Server A52 |
/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1 |
In signed certificates
Certificate |
Issuer |
Comodo DV |
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA |
Comodo EV |
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Extended Validation Secure Server CA |
DigiCert HA Intermediate |
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA |
DigiCert Secure Server |
/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA |
GlobalSign DV |
/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2 |
Go Daddy G2 Intermediate |
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 |
Google G3 |
/C=US/O=Google Trust Services/CN=Google Internet Authority G3 |
Let’s Encrypt X1 |
/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X1 |
Let’s Encrypt X3 |
/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3 |
RapidSSL G3 |
/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3 |
StartSSL class 2 |
/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA |
StartSSL class 3 |
/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 3 OV Server CA |
TrustID Server A52 |
/C=US/O=IdenTrust/OU=TrustID Server/CN=TrustID Server CA A52 |
authorityInfoAccess
The “CA Issuers” is a URI pointing to the signing certificate. The certificate is in DER/ASN1 format
and has a Content-Type: application/x-x509-ca-cert
header (except where noted).
In CA certificates
Let’s Encrypt is notable here because its CA Issuers field points to a pkcs7 file and the HTTP
response returns a Content-Type: application/x-pkcs7-mime
header.
The certificate pointed to by the CA Issuers field is the root certificate (so the Comodo DV CA
points to the AddTrust CA that signed the Comodo Root CA).
CA |
Critical |
Values |
Comodo |
|
|
Comodo DV |
✗ |
- caIssuers: URI:http://crt.comodoca.com/COMODORSAAddTrustCA.crt
- OCSP: URI:http://ocsp.comodoca.com
|
Comodo EV |
✗ |
- caIssuers: URI:http://crt.comodoca.com/COMODORSAAddTrustCA.crt
- OCSP: URI:http://ocsp.comodoca.com
|
DST X3 |
|
|
DigiCert EV Root |
|
|
DigiCert Global Root |
|
|
DigiCert HA Intermediate |
✗ |
- OCSP: URI:http://ocsp.digicert.com
|
DigiCert Secure Server |
✗ |
- OCSP: URI:http://ocsp.digicert.com
|
GeoTrust |
|
|
GlobalSign |
|
|
GlobalSign DV |
✗ |
- OCSP: URI:http://ocsp.globalsign.com/rootr1
|
GlobalSign R2 |
|
|
Go Daddy G2 |
|
|
Go Daddy G2 Intermediate |
✗ |
- OCSP: URI:http://ocsp.godaddy.com/
|
Google G3 |
✗ |
- OCSP: URI:http://ocsp.pki.goog/gsr2
|
IdenTrust |
|
|
Let’s Encrypt X1 |
✗ |
- OCSP: URI:http://isrg.trustid.ocsp.identrust.com
- caIssuers: URI:http://apps.identrust.com/roots/dstrootcax3.p7c
|
Let’s Encrypt X3 |
✗ |
- OCSP: URI:http://isrg.trustid.ocsp.identrust.com
- caIssuers: URI:http://apps.identrust.com/roots/dstrootcax3.p7c
|
RapidSSL G3 |
✗ |
- OCSP: URI:http://g.symcd.com
|
StartSSL |
|
|
StartSSL class 2 |
✗ |
- OCSP: URI:http://ocsp.startssl.com
- caIssuers: URI:http://aia.startssl.com/certs/ca.crt
|
StartSSL class 2 |
✗ |
- OCSP: URI:http://ocsp.startssl.com/ca
- caIssuers: URI:http://aia.startssl.com/certs/ca.crt
|
TrustID Server A52 |
✗ |
- OCSP: URI:http://commercial.ocsp.identrust.com
- caIssuers: URI:http://validation.identrust.com/roots/commercialrootca1.p7c
|
In signed certificates
Let’s Encrypt is again special in that the response has a Content-Type: application/pkix-cert
header (but at least it’s in DER format like every other certificate). RapidSSL uses
Content-Type: text/plain
.
The CA Issuers field sometimes points to the signing certificate (e.g. StartSSL) or to the root CA
(e.g. Comodo DV, which points to the AddTrust Root CA)
Certificate |
Critical |
Values |
Comodo DV |
✗ |
- caIssuers: URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
- OCSP: URI:http://ocsp.comodoca.com
|
Comodo EV |
✗ |
- caIssuers: URI:http://crt.comodoca.com/COMODORSAExtendedValidationSecureServerCA.crt
- OCSP: URI:http://ocsp.comodoca.com
|
DigiCert HA Intermediate |
✗ |
- OCSP: URI:http://ocsp.digicert.com
- caIssuers: URI:http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
|
DigiCert Secure Server |
✗ |
- OCSP: URI:http://ocsp.digicert.com
- caIssuers: URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
|
GlobalSign DV |
✗ |
- caIssuers: URI:http://secure.globalsign.com/cacert/gsdomainvalsha2g2r1.crt
- OCSP: URI:http://ocsp2.globalsign.com/gsdomainvalsha2g2
|
Go Daddy G2 Intermediate |
✗ |
- OCSP: URI:http://ocsp.godaddy.com/
- caIssuers: URI:http://certificates.godaddy.com/repository/gdig2.crt
|
Google G3 |
✗ |
- caIssuers: URI:http://pki.goog/gsr2/GTSGIAG3.crt
- OCSP: URI:http://ocsp.pki.goog/GTSGIAG3
|
Let’s Encrypt X1 |
✗ |
- OCSP: URI:http://ocsp.int-x1.letsencrypt.org/
- caIssuers: URI:http://cert.int-x1.letsencrypt.org/
|
Let’s Encrypt X3 |
✗ |
- OCSP: URI:http://ocsp.int-x3.letsencrypt.org
- caIssuers: URI:http://cert.int-x3.letsencrypt.org/
|
RapidSSL G3 |
✗ |
- OCSP: URI:http://gv.symcd.com
- caIssuers: URI:http://gv.symcb.com/gv.crt
|
StartSSL class 2 |
✗ |
- OCSP: URI:http://ocsp.startssl.com/sub/class2/server/ca
- caIssuers: URI:http://aia.startssl.com/certs/sub.class2.server.ca.crt
|
StartSSL class 3 |
✗ |
- OCSP: URI:http://ocsp.startssl.com
- caIssuers: URI:http://aia.startssl.com/certs/sca.server3.crt
|
TrustID Server A52 |
✗ |
- OCSP: URI:http://commercial.ocsp.identrust.com
- caIssuers: URI:http://validation.identrust.com/certs/trustidcaa52.p7c
|
authorityKeyIdentifier
A hash identifying the CA used to sign the certificate. In theory the identifier may also be based
on the issuer name and serial number, but in the wild, all certificates reference the
subjectKeyIdentifier. Self-signed certificates (e.g. Root CAs, like StartSSL and Comodo
below) will reference themself, while signed certificates reference the signed CA, e.g.:
Name |
subjectKeyIdentifier |
authorityKeyIdentifier |
Root CA |
foo |
foo |
Intermediate CA |
bar |
foo |
Client Cert |
bla |
bar |
In CA certificates
Root CAs usually have a value identical to the subjectKeyIdentifier, but
some root CAs do not include this extension at all.
CA |
Critical |
Key identifier |
Issuer |
Serial |
Comodo |
|
|
|
|
Comodo DV |
✗ |
BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4 |
✗ |
✗ |
Comodo EV |
✗ |
BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4 |
✗ |
✗ |
DST X3 |
|
|
|
|
DigiCert EV Root |
✗ |
B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3 |
✗ |
✗ |
DigiCert Global Root |
✗ |
03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55 |
✗ |
✗ |
DigiCert HA Intermediate |
✗ |
B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3 |
✗ |
✗ |
DigiCert Secure Server |
✗ |
03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55 |
✗ |
✗ |
GeoTrust |
✗ |
C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E |
✗ |
✗ |
GlobalSign |
|
|
|
|
GlobalSign DV |
✗ |
60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B |
✗ |
✗ |
GlobalSign R2 |
✗ |
9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E |
✗ |
✗ |
Go Daddy G2 |
|
|
|
|
Go Daddy G2 Intermediate |
✗ |
3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE |
✗ |
✗ |
Google G3 |
✗ |
9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E |
✗ |
✗ |
IdenTrust |
|
|
|
|
Let’s Encrypt X1 |
✗ |
C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 |
✗ |
✗ |
Let’s Encrypt X3 |
✗ |
C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 |
✗ |
✗ |
RapidSSL G3 |
✗ |
C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E |
✗ |
✗ |
StartSSL |
✗ |
4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2 |
✗ |
✗ |
StartSSL class 2 |
✗ |
4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2 |
✗ |
✗ |
StartSSL class 2 |
✗ |
4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2 |
✗ |
✗ |
TrustID Server A52 |
✗ |
ED:44:19:C0:D3:F0:06:8B:EE:A4:7B:BE:42:E7:26:54:C8:8E:36:76 |
✗ |
✗ |
In signed certificates
Certificate |
Critical |
Key identifier |
Issuer |
Serial |
Comodo DV |
✗ |
90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7 |
✗ |
✗ |
Comodo EV |
✗ |
39:DA:FF:CA:28:14:8A:A8:74:13:08:B9:E4:0E:A9:D2:FA:7E:9D:69 |
✗ |
✗ |
DigiCert HA Intermediate |
✗ |
51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B |
✗ |
✗ |
DigiCert Secure Server |
✗ |
0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2 |
✗ |
✗ |
GlobalSign DV |
✗ |
EA:4E:7C:D4:80:2D:E5:15:81:86:26:8C:82:6D:C0:98:A4:CF:97:0F |
✗ |
✗ |
Go Daddy G2 Intermediate |
✗ |
40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE |
✗ |
✗ |
Google G3 |
✗ |
77:C2:B8:50:9A:67:76:76:B1:2D:C2:86:D0:83:A0:7E:A6:7E:BA:4B |
✗ |
✗ |
Let’s Encrypt X1 |
✗ |
A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 |
✗ |
✗ |
Let’s Encrypt X3 |
✗ |
A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 |
✗ |
✗ |
RapidSSL G3 |
✗ |
C3:9C:F3:FC:D3:46:08:34:BB:CE:46:7F:A0:7C:5B:F3:E2:08:CB:59 |
✗ |
✗ |
StartSSL class 2 |
✗ |
11:DB:23:45:FD:54:CC:6A:71:6F:84:8A:03:D7:BE:F7:01:2F:26:86 |
✗ |
✗ |
StartSSL class 3 |
✗ |
B1:3F:1C:92:7B:92:B0:5A:25:B3:38:FB:9C:07:A4:26:50:32:E3:51 |
✗ |
✗ |
TrustID Server A52 |
✗ |
A2:56:24:3C:D0:D4:15:B9:E8:BF:78:A3:13:10:58:48:2E:16:54:E1 |
✗ |
✗ |
basicConstraints
The basicConstraints
extension specifies if the certificate can be used as a certificate authority. It is
always marked as critical. The pathlen
attribute specifies the levels of possible intermediate CAs. If not
present, the level of intermediate CAs is unlimited, a pathlen:0
means that the CA itself can not issue
certificates with CA:TRUE
itself.
In CA certificates
Most root CAs do not set a Path Length, while most (but not all) intermediate CAs set a Path Length of 0.
CA |
Critical |
CA |
Path length |
Comodo |
✓ |
True |
None |
Comodo DV |
✓ |
True |
0 |
Comodo EV |
✓ |
True |
0 |
DST X3 |
✓ |
True |
None |
DigiCert EV Root |
✓ |
True |
None |
DigiCert Global Root |
✓ |
True |
None |
DigiCert HA Intermediate |
✓ |
True |
0 |
DigiCert Secure Server |
✓ |
True |
0 |
GeoTrust |
✓ |
True |
None |
GlobalSign |
✓ |
True |
None |
GlobalSign DV |
✓ |
True |
0 |
GlobalSign R2 |
✓ |
True |
None |
Go Daddy G2 |
✓ |
True |
None |
Go Daddy G2 Intermediate |
✓ |
True |
None |
Google G3 |
✓ |
True |
0 |
IdenTrust |
✓ |
True |
None |
Let’s Encrypt X1 |
✓ |
True |
0 |
Let’s Encrypt X3 |
✓ |
True |
0 |
RapidSSL G3 |
✓ |
True |
0 |
StartSSL |
✓ |
True |
None |
StartSSL class 2 |
✓ |
True |
0 |
StartSSL class 2 |
✓ |
True |
0 |
TrustID Server A52 |
✓ |
True |
None |
In signed certificates
Notable here that some end-user certificates do not mark this extension as critical.
Certificate |
Critical |
CA |
Path length |
Comodo DV |
✓ |
False |
None |
Comodo EV |
✓ |
False |
None |
DigiCert HA Intermediate |
✓ |
False |
None |
DigiCert Secure Server |
✗ |
False |
None |
GlobalSign DV |
✗ |
False |
None |
Go Daddy G2 Intermediate |
✓ |
False |
None |
Google G3 |
✓ |
False |
None |
Let’s Encrypt X1 |
✓ |
False |
None |
Let’s Encrypt X3 |
✓ |
False |
None |
RapidSSL G3 |
✓ |
False |
None |
StartSSL class 2 |
✗ |
False |
None |
StartSSL class 3 |
✗ |
False |
None |
TrustID Server A52 |
|
|
|
certificatePolicies
In CA certificates
CA |
Critical |
Policies |
Comodo |
|
|
Comodo DV |
✗ |
- 2.5.29.32.0
- 2.23.140.1.2.1
|
Comodo EV |
✗ |
|
DST X3 |
|
|
DigiCert EV Root |
|
|
DigiCert Global Root |
|
|
DigiCert HA Intermediate |
✗ |
|
DigiCert Secure Server |
✗ |
|
GeoTrust |
|
|
GlobalSign |
|
|
GlobalSign DV |
✗ |
|
GlobalSign R2 |
|
|
Go Daddy G2 |
|
|
Go Daddy G2 Intermediate |
✗ |
|
Google G3 |
✗ |
|
IdenTrust |
|
|
Let’s Encrypt X1 |
✗ |
|
Let’s Encrypt X3 |
✗ |
|
RapidSSL G3 |
✗ |
|
StartSSL |
✗ |
|
StartSSL class 2 |
✗ |
|
StartSSL class 2 |
✗ |
|
TrustID Server A52 |
✗ |
|
In signed certificates
Certificate |
Critical |
Policies |
Comodo DV |
✗ |
|
Comodo EV |
✗ |
|
DigiCert HA Intermediate |
✗ |
|
DigiCert Secure Server |
✗ |
|
GlobalSign DV |
✗ |
|
Go Daddy G2 Intermediate |
✗ |
|
Google G3 |
✗ |
- 1.3.6.1.4.1.11129.2.5.3
- 2.23.140.1.2.2
|
Let’s Encrypt X1 |
✗ |
- 2.23.140.1.2.1
- 1.3.6.1.4.1.44947.1.1.1:
|
Let’s Encrypt X3 |
✗ |
|
RapidSSL G3 |
✗ |
|
StartSSL class 2 |
✗ |
- 2.23.140.1.2.2
- 1.3.6.1.4.1.23223.1.2.3:
- http://www.startssl.com/policy.pdf
- User Notice: StartCom Certification Authority: 1: This certificate was issued according to the Class 2 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations.
|
StartSSL class 3 |
✗ |
|
TrustID Server A52 |
✗ |
- 2.16.840.1.113839.0.6.3:
- 2.23.140.1.2.2:
|
crlDistributionPoints
In theory a complex multi-valued extension, this extension usually just holds a URI pointing to a
Certificate Revokation List (CRL).
Root certificate authorities (StartSSL, GeoTrust Global, GlobalSign) do not set this field. This
usually isn’t a problem since clients have a list of trusted root certificates anyway, and browsers
and distributions should get regular updates on the list of trusted certificates.
All CRLs linked here are all in DER/ASN1 format, and the Content-Type
header in the response is
set to application/pkix-crl
. Only Comodo uses application/x-pkcs7-crl
, but it is also in
DER/ASN1 format.
In CA certificates
CA |
Critical |
Names |
RDNs |
Issuer |
Reasons |
Comodo |
|
|
|
|
|
Comodo DV |
✗ |
URI:http://crl.comodoca.com/COMODORSACertificationAuthority.crl |
✗ |
✗ |
✗ |
Comodo EV |
✗ |
URI:http://crl.comodoca.com/COMODORSACertificationAuthority.crl |
✗ |
✗ |
✗ |
DST X3 |
|
|
|
|
|
DigiCert EV Root |
|
|
|
|
|
DigiCert Global Root |
|
|
|
|
|
DigiCert HA Intermediate |
✗ |
URI:http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl |
✗ |
✗ |
✗ |
DigiCert Secure Server |
✗ |
URI:http://crl3.digicert.com/DigiCertGlobalRootCA.crl |
✗ |
✗ |
✗ |
|
|
URI:http://crl4.digicert.com/DigiCertGlobalRootCA.crl |
✗ |
✗ |
✗ |
GeoTrust |
|
|
|
|
|
GlobalSign |
|
|
|
|
|
GlobalSign DV |
✗ |
URI:http://crl.globalsign.net/root.crl |
✗ |
✗ |
✗ |
GlobalSign R2 |
✗ |
URI:http://crl.globalsign.net/root-r2.crl |
✗ |
✗ |
✗ |
Go Daddy G2 |
|
|
|
|
|
Go Daddy G2 Intermediate |
✗ |
URI:http://crl.godaddy.com/gdroot-g2.crl |
✗ |
✗ |
✗ |
Google G3 |
✗ |
URI:http://crl.pki.goog/gsr2/gsr2.crl |
✗ |
✗ |
✗ |
IdenTrust |
|
|
|
|
|
Let’s Encrypt X1 |
✗ |
URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl |
✗ |
✗ |
✗ |
Let’s Encrypt X3 |
✗ |
URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl |
✗ |
✗ |
✗ |
RapidSSL G3 |
✗ |
URI:http://g.symcb.com/crls/gtglobal.crl |
✗ |
✗ |
✗ |
StartSSL |
|
|
|
|
|
StartSSL class 2 |
✗ |
URI:http://crl.startssl.com/sfsca.crl |
✗ |
✗ |
✗ |
StartSSL class 2 |
✗ |
URI:http://crl.startssl.com/sfsca.crl |
✗ |
✗ |
✗ |
TrustID Server A52 |
✗ |
URI:http://validation.identrust.com/crl/commercialrootca1.crl |
✗ |
✗ |
✗ |
In signed certificates
Let’s Encrypt is so far the only CA that does not maintain a CRL for signed certificates. Major CAs
usually don’t fancy CRLs much because they are a large file (e.g. Comodos CRL is 1.5MB) containing
all certificates and cause major traffic for CAs. OCSP is just better in every way.
Certificate |
Critical |
Names |
RDNs |
Issuer |
Reasons |
Comodo DV |
✗ |
URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl |
✗ |
✗ |
✗ |
Comodo EV |
✗ |
URI:http://crl.comodoca.com/COMODORSAExtendedValidationSecureServerCA.crl |
✗ |
✗ |
✗ |
DigiCert HA Intermediate |
✗ |
URI:http://crl3.digicert.com/sha2-ha-server-g6.crl |
✗ |
✗ |
✗ |
|
|
URI:http://crl4.digicert.com/sha2-ha-server-g6.crl |
✗ |
✗ |
✗ |
DigiCert Secure Server |
✗ |
URI:http://crl3.digicert.com/ssca-sha2-g6.crl |
✗ |
✗ |
✗ |
|
|
URI:http://crl4.digicert.com/ssca-sha2-g6.crl |
✗ |
✗ |
✗ |
GlobalSign DV |
✗ |
URI:http://crl.globalsign.com/gs/gsdomainvalsha2g2.crl |
✗ |
✗ |
✗ |
Go Daddy G2 Intermediate |
✗ |
URI:http://crl.godaddy.com/gdig2s1-1015.crl |
✗ |
✗ |
✗ |
Google G3 |
✗ |
URI:http://crl.pki.goog/GTSGIAG3.crl |
✗ |
✗ |
✗ |
Let’s Encrypt X1 |
|
|
|
|
|
Let’s Encrypt X3 |
|
|
|
|
|
RapidSSL G3 |
✗ |
URI:http://gv.symcb.com/gv.crl |
✗ |
✗ |
✗ |
StartSSL class 2 |
✗ |
URI:http://crl.startssl.com/crt2-crl.crl |
✗ |
✗ |
✗ |
StartSSL class 3 |
✗ |
URI:http://crl.startssl.com/sca-server3.crl |
✗ |
✗ |
✗ |
TrustID Server A52 |
✗ |
URI:http://validation.identrust.com/crl/trustidcaa52.crl |
✗ |
✗ |
✗ |
extendedKeyUsage
A list of purposes for which the certificate can be used for. CA certificates usually do not set
this field.
In CA certificates
CA |
Critical |
Usages |
Comodo |
|
|
Comodo DV |
✗ |
serverAuth, clientAuth |
Comodo EV |
|
|
DST X3 |
|
|
DigiCert EV Root |
|
|
DigiCert Global Root |
|
|
DigiCert HA Intermediate |
✗ |
serverAuth, clientAuth |
DigiCert Secure Server |
|
|
GeoTrust |
|
|
GlobalSign |
|
|
GlobalSign DV |
|
|
GlobalSign R2 |
|
|
Go Daddy G2 |
|
|
Go Daddy G2 Intermediate |
|
|
Google G3 |
✗ |
serverAuth, clientAuth |
IdenTrust |
|
|
Let’s Encrypt X1 |
|
|
Let’s Encrypt X3 |
|
|
RapidSSL G3 |
|
|
StartSSL |
|
|
StartSSL class 2 |
✗ |
clientAuth, serverAuth |
StartSSL class 2 |
|
|
TrustID Server A52 |
✗ |
serverAuth, clientAuth, Unknown OID, Unknown OID, Unknown OID |
In signed certificates
Certificate |
Critical |
Usages |
Comodo DV |
✗ |
serverAuth, clientAuth |
Comodo EV |
✗ |
serverAuth, clientAuth |
DigiCert HA Intermediate |
✗ |
serverAuth, clientAuth |
DigiCert Secure Server |
✗ |
serverAuth, clientAuth |
GlobalSign DV |
✗ |
serverAuth, clientAuth |
Go Daddy G2 Intermediate |
✗ |
serverAuth, clientAuth |
Google G3 |
✗ |
serverAuth |
Let’s Encrypt X1 |
✗ |
serverAuth, clientAuth |
Let’s Encrypt X3 |
✗ |
serverAuth, clientAuth |
RapidSSL G3 |
✗ |
serverAuth, clientAuth |
StartSSL class 2 |
✗ |
clientAuth, serverAuth |
StartSSL class 3 |
✗ |
clientAuth, serverAuth |
TrustID Server A52 |
✗ |
serverAuth, clientAuth |
issuerAltName
Only StartSSL sets this field in its signed certificates. It’s a URI pointing to their homepage.
In CA certificates
CA |
Critical |
Comodo |
|
Comodo DV |
|
Comodo EV |
|
DST X3 |
|
DigiCert EV Root |
|
DigiCert Global Root |
|
DigiCert HA Intermediate |
|
DigiCert Secure Server |
|
GeoTrust |
|
GlobalSign |
|
GlobalSign DV |
|
GlobalSign R2 |
|
Go Daddy G2 |
|
Go Daddy G2 Intermediate |
|
Google G3 |
|
IdenTrust |
|
Let’s Encrypt X1 |
|
Let’s Encrypt X3 |
|
RapidSSL G3 |
|
StartSSL |
|
StartSSL class 2 |
|
StartSSL class 2 |
|
TrustID Server A52 |
|
In signed certificates
Certificate |
Critical |
Names |
Comodo DV |
|
|
Comodo EV |
|
|
DigiCert HA Intermediate |
|
|
DigiCert Secure Server |
|
|
GlobalSign DV |
|
|
Go Daddy G2 Intermediate |
|
|
Google G3 |
|
|
Let’s Encrypt X1 |
|
|
Let’s Encrypt X3 |
|
|
RapidSSL G3 |
|
|
StartSSL class 2 |
✗ |
URI:http://www.startssl.com/ |
StartSSL class 3 |
✗ |
URI:http://www.startssl.com/ |
TrustID Server A52 |
|
|
keyUsage
List of permitted key usages. Usually marked as critical, except for certificates signed by
StartSSL.
In CA certificates
CA |
Critical |
digital_signature |
content_commitment |
key_encipherment |
data_encipherment |
key_agreement |
key_cert_sign |
crl_sign |
encipher_only |
decipher_only |
Comodo |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✓ |
✗ |
✗ |
Comodo DV |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✓ |
✓ |
✗ |
✗ |
Comodo EV |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✓ |
✗ |
✗ |
DST X3 |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✓ |
✗ |
✗ |
DigiCert EV Root |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✓ |
✓ |
✗ |
✗ |
DigiCert Global Root |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✓ |
✓ |
✗ |
✗ |
DigiCert HA Intermediate |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✓ |
✓ |
✗ |
✗ |
DigiCert Secure Server |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✓ |
✓ |
✗ |
✗ |
GeoTrust |
|
|
|
|
|
|
|
|
|
|
GlobalSign |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✓ |
✗ |
✗ |
GlobalSign DV |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✓ |
✗ |
✗ |
GlobalSign R2 |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✓ |
✗ |
✗ |
Go Daddy G2 |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✓ |
✗ |
✗ |
Go Daddy G2 Intermediate |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✓ |
✗ |
✗ |
Google G3 |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✓ |
✓ |
✗ |
✗ |
IdenTrust |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✓ |
✗ |
✗ |
Let’s Encrypt X1 |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✓ |
✓ |
✗ |
✗ |
Let’s Encrypt X3 |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✓ |
✓ |
✗ |
✗ |
RapidSSL G3 |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✓ |
✗ |
✗ |
StartSSL |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✓ |
✗ |
✗ |
StartSSL class 2 |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✓ |
✗ |
✗ |
StartSSL class 2 |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✓ |
✗ |
✗ |
TrustID Server A52 |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✓ |
✓ |
✗ |
✗ |
In signed certificates
Certificate |
Critical |
digital_signature |
content_commitment |
key_encipherment |
data_encipherment |
key_agreement |
key_cert_sign |
crl_sign |
encipher_only |
decipher_only |
Comodo DV |
✓ |
✓ |
✗ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✗ |
Comodo EV |
✓ |
✓ |
✗ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✗ |
DigiCert HA Intermediate |
✓ |
✓ |
✗ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✗ |
DigiCert Secure Server |
✓ |
✓ |
✗ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✗ |
GlobalSign DV |
✓ |
✓ |
✗ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✗ |
Go Daddy G2 Intermediate |
✓ |
✓ |
✗ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✗ |
Google G3 |
✓ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✗ |
✗ |
✗ |
Let’s Encrypt X1 |
✓ |
✓ |
✗ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✗ |
Let’s Encrypt X3 |
✓ |
✓ |
✗ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✗ |
RapidSSL G3 |
✓ |
✓ |
✗ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✗ |
StartSSL class 2 |
✗ |
✓ |
✗ |
✓ |
✗ |
✓ |
✗ |
✗ |
✗ |
✗ |
StartSSL class 3 |
✗ |
✓ |
✗ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✗ |
TrustID Server A52 |
✓ |
✓ |
✗ |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
✗ |
nameConstraints
This extension is only valid in CAs and must be marked as critical, according to RFC 5280.
Only the expired Let’s Encrypt X1 sets this extension to exclude .mil,
and does not set this extension as critical.
In CA certificates
CA |
Critical |
Permitted |
Excluded |
Comodo |
|
|
|
Comodo DV |
|
|
|
Comodo EV |
|
|
|
DST X3 |
|
|
|
DigiCert EV Root |
|
|
|
DigiCert Global Root |
|
|
|
DigiCert HA Intermediate |
|
|
|
DigiCert Secure Server |
|
|
|
GeoTrust |
|
|
|
GlobalSign |
|
|
|
GlobalSign DV |
|
|
|
GlobalSign R2 |
|
|
|
Go Daddy G2 |
|
|
|
Go Daddy G2 Intermediate |
|
|
|
Google G3 |
|
|
|
IdenTrust |
|
|
|
Let’s Encrypt X1 |
✗ |
✗ |
|
Let’s Encrypt X3 |
|
|
|
RapidSSL G3 |
|
|
|
StartSSL |
|
|
|
StartSSL class 2 |
|
|
|
StartSSL class 2 |
|
|
|
TrustID Server A52 |
|
|
|
In signed certificates
Certificate |
Critical |
Comodo DV |
|
Comodo EV |
|
DigiCert HA Intermediate |
|
DigiCert Secure Server |
|
GlobalSign DV |
|
Go Daddy G2 Intermediate |
|
Google G3 |
|
Let’s Encrypt X1 |
|
Let’s Encrypt X3 |
|
RapidSSL G3 |
|
StartSSL class 2 |
|
StartSSL class 3 |
|
TrustID Server A52 |
|
PrecertificateSignedCertificateTimestamps
This extension is used for Certificate Transparency and only makes sense in client certificates. It is
usually not marked as critical (since many clients do not support Certificate Transparency).
In CA certificates
CA |
Critical |
Comodo |
|
Comodo DV |
|
Comodo EV |
|
DST X3 |
|
DigiCert EV Root |
|
DigiCert Global Root |
|
DigiCert HA Intermediate |
|
DigiCert Secure Server |
|
GeoTrust |
|
GlobalSign |
|
GlobalSign DV |
|
GlobalSign R2 |
|
Go Daddy G2 |
|
Go Daddy G2 Intermediate |
|
Google G3 |
|
IdenTrust |
|
Let’s Encrypt X1 |
|
Let’s Encrypt X3 |
|
RapidSSL G3 |
|
StartSSL |
|
StartSSL class 2 |
|
StartSSL class 2 |
|
TrustID Server A52 |
|
In signed certificates
Certificate |
Critical |
Value |
Comodo DV |
|
|
Comodo EV |
✗ |
- Type: PRE_CERTIFICATE, version: v1
- Type: PRE_CERTIFICATE, version: v1
- Type: PRE_CERTIFICATE, version: v1
|
DigiCert HA Intermediate |
✗ |
- Type: PRE_CERTIFICATE, version: v1
- Type: PRE_CERTIFICATE, version: v1
|
DigiCert Secure Server |
✗ |
- Type: PRE_CERTIFICATE, version: v1
- Type: PRE_CERTIFICATE, version: v1
|
GlobalSign DV |
|
|
Go Daddy G2 Intermediate |
✗ |
- Type: PRE_CERTIFICATE, version: v1
- Type: PRE_CERTIFICATE, version: v1
- Type: PRE_CERTIFICATE, version: v1
|
Google G3 |
|
|
Let’s Encrypt X1 |
|
|
Let’s Encrypt X3 |
✗ |
- Type: PRE_CERTIFICATE, version: v1
- Type: PRE_CERTIFICATE, version: v1
|
RapidSSL G3 |
|
|
StartSSL class 2 |
|
|
StartSSL class 3 |
|
|
TrustID Server A52 |
|
|
subjectAltName
The subjectAltName
extension is not present in any CA certificate, and of course whatever the
customer requests in signed certificates.
In CA certificates
CA |
Value |
Let’s Encrypt |
|
StartSSL |
|
StartSSL Class 2 |
|
StartSSL Class 3 |
|
GeoTrust Global |
|
RapidSSL G3 |
|
Comodo |
|
Comodo DV |
|
GlobalSign |
|
GlobalSign DV |
|
subjectKeyIdentifier
The subjectKeyIdentifier extension provides a means of identifying certificates. It is a
mandatory extension for CA certificates. Currently only RapidSSL does not set this for signed
certificates.
The value of the subjectKeyIdentifier extension reappears in the authorityKeyIdentifier
extension.
In CA certificates
CA |
Critical |
Digest |
Comodo |
✗ |
BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4 |
Comodo DV |
✗ |
90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7 |
Comodo EV |
✗ |
39:DA:FF:CA:28:14:8A:A8:74:13:08:B9:E4:0E:A9:D2:FA:7E:9D:69 |
DST X3 |
✗ |
C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 |
DigiCert EV Root |
✗ |
B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3 |
DigiCert Global Root |
✗ |
03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55 |
DigiCert HA Intermediate |
✗ |
51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B |
DigiCert Secure Server |
✗ |
0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2 |
GeoTrust |
✗ |
C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E |
GlobalSign |
✗ |
60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B |
GlobalSign DV |
✗ |
EA:4E:7C:D4:80:2D:E5:15:81:86:26:8C:82:6D:C0:98:A4:CF:97:0F |
GlobalSign R2 |
✗ |
9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E |
Go Daddy G2 |
✗ |
3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE |
Go Daddy G2 Intermediate |
✗ |
40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE |
Google G3 |
✗ |
77:C2:B8:50:9A:67:76:76:B1:2D:C2:86:D0:83:A0:7E:A6:7E:BA:4B |
IdenTrust |
✗ |
ED:44:19:C0:D3:F0:06:8B:EE:A4:7B:BE:42:E7:26:54:C8:8E:36:76 |
Let’s Encrypt X1 |
✗ |
A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 |
Let’s Encrypt X3 |
✗ |
A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 |
RapidSSL G3 |
✗ |
C3:9C:F3:FC:D3:46:08:34:BB:CE:46:7F:A0:7C:5B:F3:E2:08:CB:59 |
StartSSL |
✗ |
4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2 |
StartSSL class 2 |
✗ |
B1:3F:1C:92:7B:92:B0:5A:25:B3:38:FB:9C:07:A4:26:50:32:E3:51 |
StartSSL class 2 |
✗ |
11:DB:23:45:FD:54:CC:6A:71:6F:84:8A:03:D7:BE:F7:01:2F:26:86 |
TrustID Server A52 |
✗ |
A2:56:24:3C:D0:D4:15:B9:E8:BF:78:A3:13:10:58:48:2E:16:54:E1 |
In signed certificates
Certificate |
Critical |
Digest |
Comodo DV |
✗ |
F2:CB:1F:E9:6E:D5:43:E3:85:75:98:5F:97:7C:B0:59:7F:D5:C0:C0 |
Comodo EV |
✗ |
44:3E:73:30:EB:0B:1B:A7:A7:9D:0F:DA:79:96:4D:1A:87:E9:9D:21 |
DigiCert HA Intermediate |
✗ |
56:F7:45:D4:84:D1:3C:95:AD:58:14:2E:F4:D1:CC:2F:11:C0:73:F6 |
DigiCert Secure Server |
✗ |
08:D7:53:9D:80:0B:FA:B0:39:7E:74:D8:55:DD:A7:EB:C8:BE:16:9C |
GlobalSign DV |
✗ |
52:5A:45:5B:D4:9D:AC:65:30:BD:67:80:6C:D1:A1:3E:09:F7:FD:92 |
Go Daddy G2 Intermediate |
✗ |
2E:30:1A:46:41:F0:E8:1B:72:02:59:41:8A:CF:9D:1B:FA:98:8D:9E |
Google G3 |
✗ |
1F:0D:A6:EA:EA:2B:6E:96:1B:5C:99:B5:C3:3D:6F:5F:4B:0D:BE:9F |
Let’s Encrypt X1 |
✗ |
F4:F3:B8:F5:43:90:2E:A2:7F:DD:51:4A:5F:3E:AC:FB:F1:33:EE:95 |
Let’s Encrypt X3 |
✗ |
77:37:2D:FC:89:22:11:A0:61:E0:AC:6C:F4:1D:98:31:1B:B2:B3:88 |
RapidSSL G3 |
|
|
StartSSL class 2 |
✗ |
C7:AA:D9:A4:F0:BC:D1:C1:1B:05:D2:19:71:0A:86:F8:58:0F:F0:99 |
StartSSL class 3 |
✗ |
F0:72:65:5E:21:AA:16:76:2C:6F:D0:63:53:0C:68:D5:89:50:2A:73 |
TrustID Server A52 |
✗ |
BE:59:F0:29:27:4B:FC:0A:81:52:7C:DF:CD:02:D8:8F:A8:E5:C2:24 |
Other extensions
Extensions used by certificates encountered in the wild that django-ca does not (yet) support in
any way.
In CA certificates
Currently only the old StartSSL root CA has any unknown extension.
CA |
Extensions |
StartSSL |
- Netscape Cert Type (Critical: False, OID: 2.16.840.1.113730.1.1)
- Netscape Comment (Critical: False, OID: 2.16.840.1.113730.1.13)
|
In signed certificates
Currently no tested cert has any unknown extensions.
CRL Extensions
The values of extensions and values of CRLs found in the wild.
Data
CRL |
Update freq. |
hash |
Comodo EV/user |
4 days, 0:00:00 |
sha256 |
DigiCert HA Intermediate/ca |
21 days, 0:00:00 |
sha256 |
DigiCert HA Intermediate/user |
7 days, 0:00:00 |
sha256 |
GlobalSign R2/ca |
197 days, 0:00:00 |
sha256 |
Go Daddy G2/ca |
365 days, 0:00:00 |
sha256 |
Go Daddy G2/user |
7 days, 0:00:00 |
sha256 |
Google G3/ca |
197 days, 0:00:00 |
sha256 |
Google G3/user |
10 days, 0:00:00 |
sha256 |
Let’s Encrypt Authority X3/ca |
30 days, 0:00:00 |
sha1 |
TrustID Server A52/ca |
30 days, 0:00:00 |
sha256 |
TrustID Server A52/user |
1 day, 0:00:00 |
sha256 |
Issuer
CRL |
Issuer Name |
Comodo EV/user |
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Extended Validation Secure Server CA |
DigiCert HA Intermediate/ca |
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA |
DigiCert HA Intermediate/user |
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA |
GlobalSign R2/ca |
/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign |
Go Daddy G2/ca |
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 |
Go Daddy G2/user |
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 |
Google G3/ca |
/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign |
Google G3/user |
/C=US/O=Google Trust Services/CN=Google Internet Authority G3 |
Let’s Encrypt Authority X3/ca |
/O=Digital Signature Trust Co./CN=DST Root CA X3 |
TrustID Server A52/ca |
/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1 |
TrustID Server A52/user |
/C=US/O=IdenTrust/OU=TrustID Server/CN=TrustID Server CA A52 |
authorityKeyIdentifier
The value of this extension matches the subjectKeyIdentifier of the CA that signed the CRL.
CRL |
key_identifier |
cert_issuer |
cert_serial |
Comodo EV/user |
39:DA:FF:CA:28:14:8A:A8:74:13:08:B9:E4:0E:A9:D2:FA:7E:9D:69 |
✗ |
✗ |
DigiCert HA Intermediate/ca |
B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3 |
✗ |
✗ |
DigiCert HA Intermediate/user |
51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B |
✗ |
✗ |
GlobalSign R2/ca |
9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E |
✗ |
✗ |
Go Daddy G2/ca |
|
|
|
Go Daddy G2/user |
40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE |
dirname:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 |
7 |
Google G3/ca |
9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E |
✗ |
✗ |
Google G3/user |
77:C2:B8:50:9A:67:76:76:B1:2D:C2:86:D0:83:A0:7E:A6:7E:BA:4B |
✗ |
✗ |
Let’s Encrypt Authority X3/ca |
C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 |
✗ |
✗ |
TrustID Server A52/ca |
ED:44:19:C0:D3:F0:06:8B:EE:A4:7B:BE:42:E7:26:54:C8:8E:36:76 |
✗ |
✗ |
TrustID Server A52/user |
A2:56:24:3C:D0:D4:15:B9:E8:BF:78:A3:13:10:58:48:2E:16:54:E1 |
✗ |
✗ |
cRLNumber
CRL |
number |
Comodo EV/user |
2631 |
DigiCert HA Intermediate/ca |
449 |
DigiCert HA Intermediate/user |
537 |
GlobalSign R2/ca |
31 |
Go Daddy G2/ca |
|
Go Daddy G2/user |
24 |
Google G3/ca |
31 |
Google G3/user |
672 |
Let’s Encrypt Authority X3/ca |
197 |
TrustID Server A52/ca |
83 |
TrustID Server A52/user |
4193 |
issuingDistributionPoint
CRL |
full name |
relative name |
only attr certs |
only ca certs |
only user certs |
reasons |
indirect CRL |
Comodo EV/user |
|
|
|
|
|
|
|
DigiCert HA Intermediate/ca |
|
|
|
|
|
|
|
DigiCert HA Intermediate/user |
URI:http://crl3.digicert.com/sha2-ha-server-g6.crl |
✗ |
✗ |
✗ |
✗ |
✗ |
✗ |
GlobalSign R2/ca |
|
|
|
|
|
|
|
Go Daddy G2/ca |
|
|
|
|
|
|
|
Go Daddy G2/user |
URI:http://crl.godaddy.com/gdig2s1-1015.crl |
✗ |
✗ |
✗ |
✗ |
✗ |
✗ |
Google G3/ca |
|
|
|
|
|
|
|
Google G3/user |
|
|
|
|
|
|
|
Let’s Encrypt Authority X3/ca |
|
|
|
|
|
|
|
TrustID Server A52/ca |
|
|
|
|
|
|
|
TrustID Server A52/user |
|
|
|
|
|
|
|