x509 extensions in other CAs

This page documents the x509 extensions (e.g. for CRLs, etc.) set by other CAs. The information here is used by django-ca to initialize and sign certificate authorities and certificates.

Helpful descriptions of the meaning of various extensions can also be found in x509v3_config(5SSL) (online).

Subject

In CA certificates

CA	Subject
Comodo	/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
Comodo DV	/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
Comodo EV	/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Extended Validation Secure Server CA
DST X3	/O=Digital Signature Trust Co./CN=DST Root CA X3
DigiCert EV Root	/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
DigiCert Global Root	/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
DigiCert HA Intermediate	/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
DigiCert Secure Server	/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
GeoTrust	/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
GlobalSign	/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
GlobalSign DV	/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
GlobalSign R2	/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
Go Daddy G2	/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
Go Daddy G2 Intermediate	/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
Google G3	/C=US/O=Google Trust Services/CN=Google Internet Authority G3
IdenTrust	/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1
Let’s Encrypt X1	/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
Let’s Encrypt X3	/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
RapidSSL G3	/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
StartSSL	/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
StartSSL class 2	/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 3 OV Server CA
StartSSL class 2	/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
TrustID Server A52	/C=US/O=IdenTrust/OU=TrustID Server/CN=TrustID Server CA A52

In signed certificates

Certificate	Subject
Comodo DV	/OU=Domain Control Validated/OU=PositiveSSL/CN=kode.im
Comodo EV	/serialNumber=3910805/jurisdictionCountryName=US/jurisdictionStateOrProvinceName=Delaware/businessCategory=Private Organization/C=US/postalCode=07013/ST=New Jersey/L=Clifton/streetAddress=Suite 100/streetAddress=1255 Broad St/O=Comodo Security Solutions, Inc./OU=COMODO EV SSL/CN=www.comodo.com
DigiCert HA Intermediate	/C=US/ST=California/L=Sunnyvale/O=Oath Inc/CN=*.www.yahoo.com
DigiCert Secure Server	/C=AT/L=Vienna/O=Standard Verlagsgesellschaft m.b.H./OU=IT/CN=www.derstandard.at
GlobalSign DV	/OU=Domain Control Validated/CN=www.ajabber.me
Go Daddy G2 Intermediate	/OU=Domain Control Validated/CN=derstandard.at
Google G3	/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
Let’s Encrypt X1	/CN=id.er.tl
Let’s Encrypt X3	/CN=jabber.at
RapidSSL G3	/OU=GT12798798/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=*.jabber.de
StartSSL class 2	/C=AT/ST=Wien/L=Wien/O=Mathias Ertl/CN=www.fsinf.at/emailAddress=hostmaster@fsinf.at
StartSSL class 3	/C=AT/ST=Wien/L=Wien/O=Adspired Technologies GmbH/CN=adverity.com
TrustID Server A52	/CN=identrust.com/O=IDENTRUST SERVICES LLC/L=Salt Lake City/ST=Utah/C=US

Issuer

The issuer is an X509 Name naming who signed the certificate. For root CAs, the issuer has the same value as the subject.

In CA certificates

CA	Issuer
Comodo	/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
Comodo DV	/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
Comodo EV	/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
DST X3	/O=Digital Signature Trust Co./CN=DST Root CA X3
DigiCert EV Root	/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
DigiCert Global Root	/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
DigiCert HA Intermediate	/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
DigiCert Secure Server	/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
GeoTrust	/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
GlobalSign	/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
GlobalSign DV	/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
GlobalSign R2	/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
Go Daddy G2	/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
Go Daddy G2 Intermediate	/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
Google G3	/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
IdenTrust	/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1
Let’s Encrypt X1	/O=Digital Signature Trust Co./CN=DST Root CA X3
Let’s Encrypt X3	/O=Digital Signature Trust Co./CN=DST Root CA X3
RapidSSL G3	/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
StartSSL	/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
StartSSL class 2	/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
StartSSL class 2	/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
TrustID Server A52	/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1

In signed certificates

Certificate	Issuer
Comodo DV	/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
Comodo EV	/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Extended Validation Secure Server CA
DigiCert HA Intermediate	/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
DigiCert Secure Server	/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
GlobalSign DV	/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
Go Daddy G2 Intermediate	/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
Google G3	/C=US/O=Google Trust Services/CN=Google Internet Authority G3
Let’s Encrypt X1	/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
Let’s Encrypt X3	/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
RapidSSL G3	/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
StartSSL class 2	/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
StartSSL class 3	/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 3 OV Server CA
TrustID Server A52	/C=US/O=IdenTrust/OU=TrustID Server/CN=TrustID Server CA A52

AuthorityInfoAccess

See also

https://tools.ietf.org/html/rfc5280#section-4.2.2.1

The “CA Issuers” is a URI pointing to the signing certificate. The certificate is in DER/ASN1 format and has a Content-Type: application/x-x509-ca-cert header (except where noted).

In CA certificates

Let’s Encrypt is notable here because its CA Issuers field points to a PKCS#7 file and the HTTP response returns a Content-Type: application/x-pkcs7-mime header.

The certificate pointed to by the CA Issuers field is the root certificate (so the Comodo DV CA points to the AddTrust CA that signed the Comodo Root CA).

CA	Critical	Values
Comodo
Comodo DV	✗	caIssuers: URI:http://crt.comodoca.com/COMODORSAAddTrustCA.crt OCSP: URI:http://ocsp.comodoca.com
Comodo EV	✗	caIssuers: URI:http://crt.comodoca.com/COMODORSAAddTrustCA.crt OCSP: URI:http://ocsp.comodoca.com
DST X3
DigiCert EV Root
DigiCert Global Root
DigiCert HA Intermediate	✗	OCSP: URI:http://ocsp.digicert.com
DigiCert Secure Server	✗	OCSP: URI:http://ocsp.digicert.com
GeoTrust
GlobalSign
GlobalSign DV	✗	OCSP: URI:http://ocsp.globalsign.com/rootr1
GlobalSign R2
Go Daddy G2
Go Daddy G2 Intermediate	✗	OCSP: URI:http://ocsp.godaddy.com/
Google G3	✗	OCSP: URI:http://ocsp.pki.goog/gsr2
IdenTrust
Let’s Encrypt X1	✗	OCSP: URI:http://isrg.trustid.ocsp.identrust.com caIssuers: URI:http://apps.identrust.com/roots/dstrootcax3.p7c
Let’s Encrypt X3	✗	OCSP: URI:http://isrg.trustid.ocsp.identrust.com caIssuers: URI:http://apps.identrust.com/roots/dstrootcax3.p7c
RapidSSL G3	✗	OCSP: URI:http://g.symcd.com
StartSSL
StartSSL class 2	✗	OCSP: URI:http://ocsp.startssl.com caIssuers: URI:http://aia.startssl.com/certs/ca.crt
StartSSL class 2	✗	OCSP: URI:http://ocsp.startssl.com/ca caIssuers: URI:http://aia.startssl.com/certs/ca.crt
TrustID Server A52	✗	OCSP: URI:http://commercial.ocsp.identrust.com caIssuers: URI:http://validation.identrust.com/roots/commercialrootca1.p7c

In signed certificates

Let’s Encrypt is again special in that the response has a Content-Type: application/pkix-cert header (but at least it’s in DER format like every other certificate). RapidSSL uses Content-Type: text/plain.

The CA Issuers field sometimes points to the signing certificate (e.g. StartSSL) or to the root CA (e.g. Comodo DV, which points to the AddTrust Root CA)

Certificate	Critical	Values
Comodo DV	✗	caIssuers: URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt OCSP: URI:http://ocsp.comodoca.com
Comodo EV	✗	caIssuers: URI:http://crt.comodoca.com/COMODORSAExtendedValidationSecureServerCA.crt OCSP: URI:http://ocsp.comodoca.com
DigiCert HA Intermediate	✗	OCSP: URI:http://ocsp.digicert.com caIssuers: URI:http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
DigiCert Secure Server	✗	OCSP: URI:http://ocsp.digicert.com caIssuers: URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
GlobalSign DV	✗	caIssuers: URI:http://secure.globalsign.com/cacert/gsdomainvalsha2g2r1.crt OCSP: URI:http://ocsp2.globalsign.com/gsdomainvalsha2g2
Go Daddy G2 Intermediate	✗	OCSP: URI:http://ocsp.godaddy.com/ caIssuers: URI:http://certificates.godaddy.com/repository/gdig2.crt
Google G3	✗	caIssuers: URI:http://pki.goog/gsr2/GTSGIAG3.crt OCSP: URI:http://ocsp.pki.goog/GTSGIAG3
Let’s Encrypt X1	✗	OCSP: URI:http://ocsp.int-x1.letsencrypt.org/ caIssuers: URI:http://cert.int-x1.letsencrypt.org/
Let’s Encrypt X3	✗	OCSP: URI:http://ocsp.int-x3.letsencrypt.org caIssuers: URI:http://cert.int-x3.letsencrypt.org/
RapidSSL G3	✗	OCSP: URI:http://gv.symcd.com caIssuers: URI:http://gv.symcb.com/gv.crt
StartSSL class 2	✗	OCSP: URI:http://ocsp.startssl.com/sub/class2/server/ca caIssuers: URI:http://aia.startssl.com/certs/sub.class2.server.ca.crt
StartSSL class 3	✗	OCSP: URI:http://ocsp.startssl.com caIssuers: URI:http://aia.startssl.com/certs/sca.server3.crt
TrustID Server A52	✗	OCSP: URI:http://commercial.ocsp.identrust.com caIssuers: URI:http://validation.identrust.com/certs/trustidcaa52.p7c

AuthorityKeyIdentifier

See also

https://tools.ietf.org/html/rfc5280#section-4.2.1.1

A hash identifying the CA used to sign the certificate. In theory the identifier may also be based on the issuer name and serial number, but in the wild, all certificates reference the SubjectKeyIdentifier. Self-signed certificates (e.g. Root CAs, like StartSSL and Comodo below) will reference themself, while signed certificates reference the signed CA, e.g.:

Name	SubjectKeyIdentifier	AuthorityKeyIdentifier
Root CA	foo	foo
Intermediate CA	bar	foo
Client Cert	foobar	bar

In CA certificates

Root CAs usually have a value identical to the SubjectKeyIdentifier, but some root CAs do not include this extension at all.

CA	Critical	Key identifier	Issuer	Serial
Comodo
Comodo DV	✗	BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4	✗	✗
Comodo EV	✗	BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4	✗	✗
DST X3
DigiCert EV Root	✗	B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3	✗	✗
DigiCert Global Root	✗	03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55	✗	✗
DigiCert HA Intermediate	✗	B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3	✗	✗
DigiCert Secure Server	✗	03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55	✗	✗
GeoTrust	✗	C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E	✗	✗
GlobalSign
GlobalSign DV	✗	60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B	✗	✗
GlobalSign R2	✗	9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E	✗	✗
Go Daddy G2
Go Daddy G2 Intermediate	✗	3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE	✗	✗
Google G3	✗	9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E	✗	✗
IdenTrust
Let’s Encrypt X1	✗	C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10	✗	✗
Let’s Encrypt X3	✗	C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10	✗	✗
RapidSSL G3	✗	C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E	✗	✗
StartSSL	✗	4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2	✗	✗
StartSSL class 2	✗	4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2	✗	✗
StartSSL class 2	✗	4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2	✗	✗
TrustID Server A52	✗	ED:44:19:C0:D3:F0:06:8B:EE:A4:7B:BE:42:E7:26:54:C8:8E:36:76	✗	✗

In signed certificates

Certificate	Critical	Key identifier	Issuer	Serial
Comodo DV	✗	90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7	✗	✗
Comodo EV	✗	39:DA:FF:CA:28:14:8A:A8:74:13:08:B9:E4:0E:A9:D2:FA:7E:9D:69	✗	✗
DigiCert HA Intermediate	✗	51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B	✗	✗
DigiCert Secure Server	✗	0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2	✗	✗
GlobalSign DV	✗	EA:4E:7C:D4:80:2D:E5:15:81:86:26:8C:82:6D:C0:98:A4:CF:97:0F	✗	✗
Go Daddy G2 Intermediate	✗	40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE	✗	✗
Google G3	✗	77:C2:B8:50:9A:67:76:76:B1:2D:C2:86:D0:83:A0:7E:A6:7E:BA:4B	✗	✗
Let’s Encrypt X1	✗	A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1	✗	✗
Let’s Encrypt X3	✗	A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1	✗	✗
RapidSSL G3	✗	C3:9C:F3:FC:D3:46:08:34:BB:CE:46:7F:A0:7C:5B:F3:E2:08:CB:59	✗	✗
StartSSL class 2	✗	11:DB:23:45:FD:54:CC:6A:71:6F:84:8A:03:D7:BE:F7:01:2F:26:86	✗	✗
StartSSL class 3	✗	B1:3F:1C:92:7B:92:B0:5A:25:B3:38:FB:9C:07:A4:26:50:32:E3:51	✗	✗
TrustID Server A52	✗	A2:56:24:3C:D0:D4:15:B9:E8:BF:78:A3:13:10:58:48:2E:16:54:E1	✗	✗

BasicConstraints

See also

https://tools.ietf.org/html/rfc5280#section-4.2.1.9

The BasicConstraints extension specifies if the certificate can be used as a certificate authority. It is always marked as critical. The path_length attribute specifies the levels of possible intermediate CAs. If not present, the level of intermediate CAs is unlimited, a path_length:0 means that the CA itself can not issue certificates with CA:TRUE itself.

In CA certificates

Most root CAs do not set a Path Length, while most (but not all) intermediate CAs set a Path Length of 0.

CA	Critical	CA	Path length
Comodo	✓	True	None
Comodo DV	✓	True	0
Comodo EV	✓	True	0
DST X3	✓	True	None
DigiCert EV Root	✓	True	None
DigiCert Global Root	✓	True	None
DigiCert HA Intermediate	✓	True	0
DigiCert Secure Server	✓	True	0
GeoTrust	✓	True	None
GlobalSign	✓	True	None
GlobalSign DV	✓	True	0
GlobalSign R2	✓	True	None
Go Daddy G2	✓	True	None
Go Daddy G2 Intermediate	✓	True	None
Google G3	✓	True	0
IdenTrust	✓	True	None
Let’s Encrypt X1	✓	True	0
Let’s Encrypt X3	✓	True	0
RapidSSL G3	✓	True	0
StartSSL	✓	True	None
StartSSL class 2	✓	True	0
StartSSL class 2	✓	True	0
TrustID Server A52	✓	True	None

In signed certificates

Notable here that some end-user certificates do not mark this extension as critical.

Certificate	Critical	CA	Path length
Comodo DV	✓	False	None
Comodo EV	✓	False	None
DigiCert HA Intermediate	✓	False	None
DigiCert Secure Server	✗	False	None
GlobalSign DV	✗	False	None
Go Daddy G2 Intermediate	✓	False	None
Google G3	✓	False	None
Let’s Encrypt X1	✓	False	None
Let’s Encrypt X3	✓	False	None
RapidSSL G3	✓	False	None
StartSSL class 2	✗	False	None
StartSSL class 3	✗	False	None
TrustID Server A52

CertificatePolicies

In CA certificates

CA	Critical	Policies
Comodo
Comodo DV	✗	2.5.29.32.0 2.23.140.1.2.1
Comodo EV	✗	2.5.29.32.0: https://secure.comodo.com/CPS
DST X3
DigiCert EV Root
DigiCert Global Root
DigiCert HA Intermediate	✗	2.5.29.32.0: https://www.digicert.com/CPS
DigiCert Secure Server	✗	2.5.29.32.0: https://www.digicert.com/CPS
GeoTrust
GlobalSign
GlobalSign DV	✗	2.5.29.32.0: https://www.globalsign.com/repository/
GlobalSign R2
Go Daddy G2
Go Daddy G2 Intermediate	✗	2.5.29.32.0: https://certs.godaddy.com/repository/
Google G3	✗	2.23.140.1.2.2: https://pki.goog/repository/
IdenTrust
Let’s Encrypt X1	✗	2.23.140.1.2.1 1.3.6.1.4.1.44947.1.1.1: http://cps.root-x1.letsencrypt.org
Let’s Encrypt X3	✗	2.23.140.1.2.1 1.3.6.1.4.1.44947.1.1.1: http://cps.root-x1.letsencrypt.org
RapidSSL G3	✗	2.16.840.1.113733.1.7.54: http://www.geotrust.com/resources/cps
StartSSL	✗	1.3.6.1.4.1.23223.1.1.1: http://www.startssl.com/policy.pdf http://www.startssl.com/intermediate.pdf User Notice: Start Commercial (StartCom) Ltd.: 1: Limited Liability, read the section Legal Limitations of the StartCom Certification Authority Policy available at http://www.startssl.com/policy.pdf
StartSSL class 2	✗	2.5.29.32.0: http://www.startssl.com/policy
StartSSL class 2	✗	2.5.29.32.0: http://www.startssl.com/policy.pdf
TrustID Server A52	✗	2.5.29.32.0: User Notice: https://secure.identrust.com/certificates/policy/ts/index.html: User Notice: This TrustID Server Certificate has been issued in accordance with IdenTrust’s TrustID Certificate Policy found at https://secure.identrust.com/certificates/policy/ts/index.html

In signed certificates

Certificate	Critical	Policies
Comodo DV	✗	1.3.6.1.4.1.6449.1.2.2.7: https://secure.comodo.com/CPS 2.23.140.1.2.1
Comodo EV	✗	1.3.6.1.4.1.6449.1.2.1.5.1: https://secure.comodo.com/CPS 2.23.140.1.1
DigiCert HA Intermediate	✗	2.16.840.1.114412.1.1: https://www.digicert.com/CPS 2.23.140.1.2.2
DigiCert Secure Server	✗	2.16.840.1.114412.1.1: https://www.digicert.com/CPS 2.23.140.1.2.2
GlobalSign DV	✗	1.3.6.1.4.1.4146.1.10: https://www.globalsign.com/repository/ 2.23.140.1.2.1
Go Daddy G2 Intermediate	✗	2.16.840.1.114413.1.7.23.1: http://certificates.godaddy.com/repository/ 2.23.140.1.2.1
Google G3	✗	1.3.6.1.4.1.11129.2.5.3 2.23.140.1.2.2
Let’s Encrypt X1	✗	2.23.140.1.2.1 1.3.6.1.4.1.44947.1.1.1: http://cps.letsencrypt.org User Notice: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
Let’s Encrypt X3	✗	2.23.140.1.2.1 1.3.6.1.4.1.44947.1.1.1: http://cps.letsencrypt.org
RapidSSL G3	✗	2.16.840.1.113733.1.7.54: https://www.rapidssl.com/legal
StartSSL class 2	✗	2.23.140.1.2.2 1.3.6.1.4.1.23223.1.2.3: http://www.startssl.com/policy.pdf User Notice: StartCom Certification Authority: 1: This certificate was issued according to the Class 2 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations.
StartSSL class 3	✗	2.23.140.1.2.2 1.3.6.1.4.1.23223.1.2.4: http://www.startssl.com/policy
TrustID Server A52	✗	2.16.840.1.113839.0.6.3: https://secure.identrust.com/certificates/policy/ts/ User Notice: This TrustID Server Certificate has been issued in accordance with IdenTrust’s TrustID Certificate Policy found at https://secure.identrust.com/certificates/policy/ts/ 2.23.140.1.2.2: https://secure.identrust.com/certificates/policy/ts/ User Notice: This TrustID Server Certificate has been issued in accordance with IdenTrust’s TrustID Certificate Policy found at https://secure.identrust.com/certificates/policy/ts/

CRLDistributionPoints

See also

https://tools.ietf.org/html/rfc5280#section-4.2.1.13

In theory a complex multi-valued extension, this extension usually just holds a URI pointing to a Certificate Revocation List (CRL).

Root certificate authorities (StartSSL, GeoTrust Global, GlobalSign) do not set this field. This usually isn’t a problem since clients have a list of trusted root certificates anyway, and browsers and distributions should get regular updates on the list of trusted certificates.

All CRLs linked here are all in DER/ASN1 format, and the Content-Type header in the response is set to application/pkix-crl. Only Comodo uses application/x-pkcs7-crl, but it is also in DER/ASN1 format.

In CA certificates

CA	Critical	Names	RDNs	Issuer	Reasons
Comodo
Comodo DV	✗	URI:http://crl.comodoca.com/COMODORSACertificationAuthority.crl	✗	✗	✗
Comodo EV	✗	URI:http://crl.comodoca.com/COMODORSACertificationAuthority.crl	✗	✗	✗
DST X3
DigiCert EV Root
DigiCert Global Root
DigiCert HA Intermediate	✗	URI:http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl	✗	✗	✗
DigiCert Secure Server	✗	URI:http://crl3.digicert.com/DigiCertGlobalRootCA.crl	✗	✗	✗
		URI:http://crl4.digicert.com/DigiCertGlobalRootCA.crl	✗	✗	✗
GeoTrust
GlobalSign
GlobalSign DV	✗	URI:http://crl.globalsign.net/root.crl	✗	✗	✗
GlobalSign R2	✗	URI:http://crl.globalsign.net/root-r2.crl	✗	✗	✗
Go Daddy G2
Go Daddy G2 Intermediate	✗	URI:http://crl.godaddy.com/gdroot-g2.crl	✗	✗	✗
Google G3	✗	URI:http://crl.pki.goog/gsr2/gsr2.crl	✗	✗	✗
IdenTrust
Let’s Encrypt X1	✗	URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl	✗	✗	✗
Let’s Encrypt X3	✗	URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl	✗	✗	✗
RapidSSL G3	✗	URI:http://g.symcb.com/crls/gtglobal.crl	✗	✗	✗
StartSSL
StartSSL class 2	✗	URI:http://crl.startssl.com/sfsca.crl	✗	✗	✗
StartSSL class 2	✗	URI:http://crl.startssl.com/sfsca.crl	✗	✗	✗
TrustID Server A52	✗	URI:http://validation.identrust.com/crl/commercialrootca1.crl	✗	✗	✗

In signed certificates

Let’s Encrypt is so far the only CA that does not maintain a CRL for signed certificates. Major CAs usually don’t fancy CRLs much because they are a large file (e.g. the CRL from Comodo is 1.5MB) containing all certificates and cause major traffic for CAs. OCSP is just better in every way.

Certificate	Critical	Names	RDNs	Issuer	Reasons
Comodo DV	✗	URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl	✗	✗	✗
Comodo EV	✗	URI:http://crl.comodoca.com/COMODORSAExtendedValidationSecureServerCA.crl	✗	✗	✗
DigiCert HA Intermediate	✗	URI:http://crl3.digicert.com/sha2-ha-server-g6.crl	✗	✗	✗
		URI:http://crl4.digicert.com/sha2-ha-server-g6.crl	✗	✗	✗
DigiCert Secure Server	✗	URI:http://crl3.digicert.com/ssca-sha2-g6.crl	✗	✗	✗
		URI:http://crl4.digicert.com/ssca-sha2-g6.crl	✗	✗	✗
GlobalSign DV	✗	URI:http://crl.globalsign.com/gs/gsdomainvalsha2g2.crl	✗	✗	✗
Go Daddy G2 Intermediate	✗	URI:http://crl.godaddy.com/gdig2s1-1015.crl	✗	✗	✗
Google G3	✗	URI:http://crl.pki.goog/GTSGIAG3.crl	✗	✗	✗
Let’s Encrypt X1
Let’s Encrypt X3
RapidSSL G3	✗	URI:http://gv.symcb.com/gv.crl	✗	✗	✗
StartSSL class 2	✗	URI:http://crl.startssl.com/crt2-crl.crl	✗	✗	✗
StartSSL class 3	✗	URI:http://crl.startssl.com/sca-server3.crl	✗	✗	✗
TrustID Server A52	✗	URI:http://validation.identrust.com/crl/trustidcaa52.crl	✗	✗	✗

ExtendedKeyUsage

A list of purposes for which the certificate can be used for. CA certificates usually do not set this field.

In CA certificates

CA	Critical	Usages
Comodo
Comodo DV	✗	serverAuth, clientAuth
Comodo EV
DST X3
DigiCert EV Root
DigiCert Global Root
DigiCert HA Intermediate	✗	serverAuth, clientAuth
DigiCert Secure Server
GeoTrust
GlobalSign
GlobalSign DV
GlobalSign R2
Go Daddy G2
Go Daddy G2 Intermediate
Google G3	✗	serverAuth, clientAuth
IdenTrust
Let’s Encrypt X1
Let’s Encrypt X3
RapidSSL G3
StartSSL
StartSSL class 2	✗	clientAuth, serverAuth
StartSSL class 2
TrustID Server A52	✗	serverAuth, clientAuth, Unknown OID, Unknown OID, Unknown OID

In signed certificates

Certificate	Critical	Usages
Comodo DV	✗	serverAuth, clientAuth
Comodo EV	✗	serverAuth, clientAuth
DigiCert HA Intermediate	✗	serverAuth, clientAuth
DigiCert Secure Server	✗	serverAuth, clientAuth
GlobalSign DV	✗	serverAuth, clientAuth
Go Daddy G2 Intermediate	✗	serverAuth, clientAuth
Google G3	✗	serverAuth
Let’s Encrypt X1	✗	serverAuth, clientAuth
Let’s Encrypt X3	✗	serverAuth, clientAuth
RapidSSL G3	✗	serverAuth, clientAuth
StartSSL class 2	✗	clientAuth, serverAuth
StartSSL class 3	✗	clientAuth, serverAuth
TrustID Server A52	✗	serverAuth, clientAuth

IssuerAlternativeName

See also

https://tools.ietf.org/html/rfc5280#section-4.2.1.7

Only StartSSL sets this field in its signed certificates. It’s a URI pointing to their homepage.

In CA certificates

CA	Critical
Comodo
Comodo DV
Comodo EV
DST X3
DigiCert EV Root
DigiCert Global Root
DigiCert HA Intermediate
DigiCert Secure Server
GeoTrust
GlobalSign
GlobalSign DV
GlobalSign R2
Go Daddy G2
Go Daddy G2 Intermediate
Google G3
IdenTrust
Let’s Encrypt X1
Let’s Encrypt X3
RapidSSL G3
StartSSL
StartSSL class 2
StartSSL class 2
TrustID Server A52

In signed certificates

Certificate	Critical	Names
Comodo DV
Comodo EV
DigiCert HA Intermediate
DigiCert Secure Server
GlobalSign DV
Go Daddy G2 Intermediate
Google G3
Let’s Encrypt X1
Let’s Encrypt X3
RapidSSL G3
StartSSL class 2	✗	URI:http://www.startssl.com/
StartSSL class 3	✗	URI:http://www.startssl.com/
TrustID Server A52

KeyUsage

See also

https://tools.ietf.org/html/rfc5280#section-4.2.1.3

List of permitted key usages. Usually marked as critical, except for certificates signed by StartSSL.

In CA certificates

CA	Critical	cRLSign	dataEncipherment	decipherOnly	digitalSignature	encipherOnly	keyAgreement	keyCertSign	keyEncipherment	nonRepudiation
Comodo	✓	✓	✗	✗	✗	✗	✗	✓	✗	✗
Comodo DV	✓	✓	✗	✗	✓	✗	✗	✓	✗	✗
Comodo EV	✓	✓	✗	✗	✗	✗	✗	✓	✗	✗
DST X3	✓	✓	✗	✗	✗	✗	✗	✓	✗	✗
DigiCert EV Root	✓	✓	✗	✗	✓	✗	✗	✓	✗	✗
DigiCert Global Root	✓	✓	✗	✗	✓	✗	✗	✓	✗	✗
DigiCert HA Intermediate	✓	✓	✗	✗	✓	✗	✗	✓	✗	✗
DigiCert Secure Server	✓	✓	✗	✗	✓	✗	✗	✓	✗	✗
GeoTrust
GlobalSign	✓	✓	✗	✗	✗	✗	✗	✓	✗	✗
GlobalSign DV	✓	✓	✗	✗	✗	✗	✗	✓	✗	✗
GlobalSign R2	✓	✓	✗	✗	✗	✗	✗	✓	✗	✗
Go Daddy G2	✓	✓	✗	✗	✗	✗	✗	✓	✗	✗
Go Daddy G2 Intermediate	✓	✓	✗	✗	✗	✗	✗	✓	✗	✗
Google G3	✓	✓	✗	✗	✓	✗	✗	✓	✗	✗
IdenTrust	✓	✓	✗	✗	✗	✗	✗	✓	✗	✗
Let’s Encrypt X1	✓	✓	✗	✗	✓	✗	✗	✓	✗	✗
Let’s Encrypt X3	✓	✓	✗	✗	✓	✗	✗	✓	✗	✗
RapidSSL G3	✓	✓	✗	✗	✗	✗	✗	✓	✗	✗
StartSSL	✓	✓	✗	✗	✗	✗	✗	✓	✗	✗
StartSSL class 2	✓	✓	✗	✗	✗	✗	✗	✓	✗	✗
StartSSL class 2	✓	✓	✗	✗	✗	✗	✗	✓	✗	✗
TrustID Server A52	✓	✓	✗	✗	✓	✗	✗	✓	✗	✗

In signed certificates

Certificate	Critical	cRLSign	dataEncipherment	decipherOnly	digitalSignature	encipherOnly	keyAgreement	keyCertSign	keyEncipherment	nonRepudiation
Comodo DV	✓	✗	✗	✗	✓	✗	✗	✗	✓	✗
Comodo EV	✓	✗	✗	✗	✓	✗	✗	✗	✓	✗
DigiCert HA Intermediate	✓	✗	✗	✗	✓	✗	✗	✗	✓	✗
DigiCert Secure Server	✓	✗	✗	✗	✓	✗	✗	✗	✓	✗
GlobalSign DV	✓	✗	✗	✗	✓	✗	✗	✗	✓	✗
Go Daddy G2 Intermediate	✓	✗	✗	✗	✓	✗	✗	✗	✓	✗
Google G3	✓	✗	✗	✗	✓	✗	✗	✗	✗	✗
Let’s Encrypt X1	✓	✗	✗	✗	✓	✗	✗	✗	✓	✗
Let’s Encrypt X3	✓	✗	✗	✗	✓	✗	✗	✗	✓	✗
RapidSSL G3	✓	✗	✗	✗	✓	✗	✗	✗	✓	✗
StartSSL class 2	✗	✗	✗	✗	✓	✗	✓	✗	✓	✗
StartSSL class 3	✗	✗	✗	✗	✓	✗	✗	✗	✓	✗
TrustID Server A52	✓	✗	✗	✗	✓	✗	✗	✗	✓	✗

NameConstraints

See also

https://tools.ietf.org/html/rfc5280#section-4.2.1.10

This extension is only valid in CAs and must be marked as critical, according to RFC 5280.

Only the expired Let’s Encrypt X1 sets this extension to exclude .mil, and does not set this extension as critical.

In CA certificates

CA	Critical	Permitted	Excluded
Comodo
Comodo DV
Comodo EV
DST X3
DigiCert EV Root
DigiCert Global Root
DigiCert HA Intermediate
DigiCert Secure Server
GeoTrust
GlobalSign
GlobalSign DV
GlobalSign R2
Go Daddy G2
Go Daddy G2 Intermediate
Google G3
IdenTrust
Let’s Encrypt X1	✗	✗	DNS:.mil
Let’s Encrypt X3
RapidSSL G3
StartSSL
StartSSL class 2
StartSSL class 2
TrustID Server A52

In signed certificates

Certificate	Critical
Comodo DV
Comodo EV
DigiCert HA Intermediate
DigiCert Secure Server
GlobalSign DV
Go Daddy G2 Intermediate
Google G3
Let’s Encrypt X1
Let’s Encrypt X3
RapidSSL G3
StartSSL class 2
StartSSL class 3
TrustID Server A52

PrecertificateSignedCertificateTimestamps

See also

https://tools.ietf.org/html/rfc6962.html

This extension is used for Certificate Transparency and only makes sense in client certificates. It is usually not marked as critical (since many clients do not support Certificate Transparency).

In CA certificates

CA	Critical
Comodo
Comodo DV
Comodo EV
DST X3
DigiCert EV Root
DigiCert Global Root
DigiCert HA Intermediate
DigiCert Secure Server
GeoTrust
GlobalSign
GlobalSign DV
GlobalSign R2
Go Daddy G2
Go Daddy G2 Intermediate
Google G3
IdenTrust
Let’s Encrypt X1
Let’s Encrypt X3
RapidSSL G3
StartSSL
StartSSL class 2
StartSSL class 2
TrustID Server A52

In signed certificates

Certificate	Critical	Value
Comodo DV
Comodo EV	✗	Type: PRE_CERTIFICATE, version: v1 Type: PRE_CERTIFICATE, version: v1 Type: PRE_CERTIFICATE, version: v1
DigiCert HA Intermediate	✗	Type: PRE_CERTIFICATE, version: v1 Type: PRE_CERTIFICATE, version: v1
DigiCert Secure Server	✗	Type: PRE_CERTIFICATE, version: v1 Type: PRE_CERTIFICATE, version: v1
GlobalSign DV
Go Daddy G2 Intermediate	✗	Type: PRE_CERTIFICATE, version: v1 Type: PRE_CERTIFICATE, version: v1 Type: PRE_CERTIFICATE, version: v1
Google G3
Let’s Encrypt X1
Let’s Encrypt X3	✗	Type: PRE_CERTIFICATE, version: v1 Type: PRE_CERTIFICATE, version: v1
RapidSSL G3
StartSSL class 2
StartSSL class 3
TrustID Server A52

SubjectAlternativeName

The SubjectAlternativeName extension is not present in any CA certificate, and of course whatever the customer requests in signed certificates.

In CA certificates

CA	Value
Let’s Encrypt
StartSSL
StartSSL Class 2
StartSSL Class 3
GeoTrust Global
RapidSSL G3
Comodo
Comodo DV
GlobalSign
GlobalSign DV

SubjectKeyIdentifier

See also

https://tools.ietf.org/html/rfc5280#section-4.2.1.2

The SubjectKeyIdentifier extension provides a means of identifying certificates. It is a mandatory extension for CA certificates. Currently only RapidSSL does not set this for signed certificates.

The value of the SubjectKeyIdentifier extension reappears in the AuthorityKeyIdentifier extension.

In CA certificates

CA	Critical	Digest
Comodo	✗	BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4
Comodo DV	✗	90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7
Comodo EV	✗	39:DA:FF:CA:28:14:8A:A8:74:13:08:B9:E4:0E:A9:D2:FA:7E:9D:69
DST X3	✗	C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10
DigiCert EV Root	✗	B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3
DigiCert Global Root	✗	03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
DigiCert HA Intermediate	✗	51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B
DigiCert Secure Server	✗	0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2
GeoTrust	✗	C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
GlobalSign	✗	60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B
GlobalSign DV	✗	EA:4E:7C:D4:80:2D:E5:15:81:86:26:8C:82:6D:C0:98:A4:CF:97:0F
GlobalSign R2	✗	9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E
Go Daddy G2	✗	3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE
Go Daddy G2 Intermediate	✗	40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
Google G3	✗	77:C2:B8:50:9A:67:76:76:B1:2D:C2:86:D0:83:A0:7E:A6:7E:BA:4B
IdenTrust	✗	ED:44:19:C0:D3:F0:06:8B:EE:A4:7B:BE:42:E7:26:54:C8:8E:36:76
Let’s Encrypt X1	✗	A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Let’s Encrypt X3	✗	A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
RapidSSL G3	✗	C3:9C:F3:FC:D3:46:08:34:BB:CE:46:7F:A0:7C:5B:F3:E2:08:CB:59
StartSSL	✗	4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2
StartSSL class 2	✗	B1:3F:1C:92:7B:92:B0:5A:25:B3:38:FB:9C:07:A4:26:50:32:E3:51
StartSSL class 2	✗	11:DB:23:45:FD:54:CC:6A:71:6F:84:8A:03:D7:BE:F7:01:2F:26:86
TrustID Server A52	✗	A2:56:24:3C:D0:D4:15:B9:E8:BF:78:A3:13:10:58:48:2E:16:54:E1

In signed certificates

Certificate	Critical	Digest
Comodo DV	✗	F2:CB:1F:E9:6E:D5:43:E3:85:75:98:5F:97:7C:B0:59:7F:D5:C0:C0
Comodo EV	✗	44:3E:73:30:EB:0B:1B:A7:A7:9D:0F:DA:79:96:4D:1A:87:E9:9D:21
DigiCert HA Intermediate	✗	56:F7:45:D4:84:D1:3C:95:AD:58:14:2E:F4:D1:CC:2F:11:C0:73:F6
DigiCert Secure Server	✗	08:D7:53:9D:80:0B:FA:B0:39:7E:74:D8:55:DD:A7:EB:C8:BE:16:9C
GlobalSign DV	✗	52:5A:45:5B:D4:9D:AC:65:30:BD:67:80:6C:D1:A1:3E:09:F7:FD:92
Go Daddy G2 Intermediate	✗	2E:30:1A:46:41:F0:E8:1B:72:02:59:41:8A:CF:9D:1B:FA:98:8D:9E
Google G3	✗	1F:0D:A6:EA:EA:2B:6E:96:1B:5C:99:B5:C3:3D:6F:5F:4B:0D:BE:9F
Let’s Encrypt X1	✗	F4:F3:B8:F5:43:90:2E:A2:7F:DD:51:4A:5F:3E:AC:FB:F1:33:EE:95
Let’s Encrypt X3	✗	77:37:2D:FC:89:22:11:A0:61:E0:AC:6C:F4:1D:98:31:1B:B2:B3:88
RapidSSL G3
StartSSL class 2	✗	C7:AA:D9:A4:F0:BC:D1:C1:1B:05:D2:19:71:0A:86:F8:58:0F:F0:99
StartSSL class 3	✗	F0:72:65:5E:21:AA:16:76:2C:6F:D0:63:53:0C:68:D5:89:50:2A:73
TrustID Server A52	✗	BE:59:F0:29:27:4B:FC:0A:81:52:7C:DF:CD:02:D8:8F:A8:E5:C2:24

Other extensions

Extensions used by certificates encountered in the wild that django-ca does not (yet) support in any way.

In CA certificates

Currently only the old StartSSL root CA has any unknown extension.

CA	Extensions
StartSSL	Netscape Cert Type (Critical: False, OID: 2.16.840.1.113730.1.1) Netscape Comment (Critical: False, OID: 2.16.840.1.113730.1.13)

In signed certificates

Currently no tested cert has any unknown extensions.

Certificate	Extensions

CRL Extensions

The values of extensions and values of CRLs found in the wild.

CRL	Source	Last accessed	Info
Comodo EV (user)	comodo_ev_user.pem (URL)	2019-04-21	CRL in Comodo EV end user certificates
DigiCert HA Intermediate/ca	digicert_ha_intermediate.crl (URL)	2019-04-21	CRL in DigiCert HA Intermediate
DigiCert HA Intermediate/user	digicert_ha_intermediate_user.crl (URL)	2019-04-21	CRL DigiCert HA Intermediate end user certificates
GlobalSign R2/ca	root-r2.crl (URL)	2019-04-19	CRL in GlobalSign R2
Go Daddy G2/ca	gdroot-g2.crl (URL)	2019-04-19	CRL in Go Daddy G2 intermediate CA
Go Daddy G2/user	gdig2s1-1015.crl (URL)	2019-04-19	CRL in Go Daddy G2 end user certificates
Google G3/ca	gsr2.crl (URL)	2019-04-19	CRL in Google G3 CA
Google G3/user	GTSGIAG3.crl (URL)	2019-04-19	CRL in Google G3 end user certificates
Let’s Encrypt Authority X3/ca	DSTROOTCAX3CRL.crl (URL)	2019-04-19	CRL in Let’s Encrypt X3
TrustID Server A52/ca	trustid_server_a52_ca.crl (URL)	2019-04-21	CRL in TrustID Server A52
TrustID Server A52/user	trustid_server_a52_user.crl (URL)	2019-04-21	CRL TrustID Server A52 end user certificates

Data

CRL	Update freq.	hash
Comodo EV (user)	4 days, 0:00:00	SHA-256
DigiCert HA Intermediate/ca	21 days, 0:00:00	SHA-256
DigiCert HA Intermediate/user	7 days, 0:00:00	SHA-256
GlobalSign R2/ca	197 days, 0:00:00	SHA-256
Go Daddy G2/ca	365 days, 0:00:00	SHA-256
Go Daddy G2/user	7 days, 0:00:00	SHA-256
Google G3/ca	197 days, 0:00:00	SHA-256
Google G3/user	10 days, 0:00:00	SHA-256
Let’s Encrypt Authority X3/ca	30 days, 0:00:00	SHA-1
TrustID Server A52/ca	30 days, 0:00:00	SHA-256
TrustID Server A52/user	1 day, 0:00:00	SHA-256

Issuer

CRL	Issuer Name
Comodo EV (user)	/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Extended Validation Secure Server CA
DigiCert HA Intermediate/ca	/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
DigiCert HA Intermediate/user	/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
GlobalSign R2/ca	/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
Go Daddy G2/ca	/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
Go Daddy G2/user	/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
Google G3/ca	/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
Google G3/user	/C=US/O=Google Trust Services/CN=Google Internet Authority G3
Let’s Encrypt Authority X3/ca	/O=Digital Signature Trust Co./CN=DST Root CA X3
TrustID Server A52/ca	/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1
TrustID Server A52/user	/C=US/O=IdenTrust/OU=TrustID Server/CN=TrustID Server CA A52

AuthorityKeyIdentifier

The value of this extension matches the SubjectKeyIdentifier of the CA that signed the CRL.

See also

https://tools.ietf.org/html/rfc5280.html#section-5.2.1

CRL	key_identifier	cert_issuer	cert_serial
Comodo EV (user)	39:DA:FF:CA:28:14:8A:A8:74:13:08:B9:E4:0E:A9:D2:FA:7E:9D:69	✗	✗
DigiCert HA Intermediate/ca	B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3	✗	✗
DigiCert HA Intermediate/user	51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B	✗	✗
GlobalSign R2/ca	9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E	✗	✗
Go Daddy G2/ca
Go Daddy G2/user	40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE	dirname:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2	7
Google G3/ca	9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E	✗	✗
Google G3/user	77:C2:B8:50:9A:67:76:76:B1:2D:C2:86:D0:83:A0:7E:A6:7E:BA:4B	✗	✗
Let’s Encrypt Authority X3/ca	C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10	✗	✗
TrustID Server A52/ca	ED:44:19:C0:D3:F0:06:8B:EE:A4:7B:BE:42:E7:26:54:C8:8E:36:76	✗	✗
TrustID Server A52/user	A2:56:24:3C:D0:D4:15:B9:E8:BF:78:A3:13:10:58:48:2E:16:54:E1	✗	✗

cRLNumber

CRL	number
Comodo EV (user)	2631
DigiCert HA Intermediate/ca	449
DigiCert HA Intermediate/user	537
GlobalSign R2/ca	31
Go Daddy G2/ca
Go Daddy G2/user	24
Google G3/ca	31
Google G3/user	672
Let’s Encrypt Authority X3/ca	197
TrustID Server A52/ca	83
TrustID Server A52/user	4193

IssuingDistributionPoint

CRL	full name	relative name	only attribute certs	only ca certs	only user certs	reasons	indirect CRL
Comodo EV (user)
DigiCert HA Intermediate/ca
DigiCert HA Intermediate/user	URI:http://crl3.digicert.com/sha2-ha-server-g6.crl	✗	✗	✗	✗	✗	✗
GlobalSign R2/ca
Go Daddy G2/ca
Go Daddy G2/user	URI:http://crl.godaddy.com/gdig2s1-1015.crl	✗	✗	✗	✗	✗	✗
Google G3/ca
Google G3/user
Let’s Encrypt Authority X3/ca
TrustID Server A52/ca
TrustID Server A52/user