Swiss Government PKI - Bundesamt für Informatik und

Transcription

Eidgenössisches Finanzdepartement EFD
Bundesamt für Informatik und Telekommunikation BIT
Betrieb
Betrieb Frontend Services
PKI
Swiss Government PKI
CA Layout and Policies
Version 1.57
Status
in_Arbeit
in_Pruefung
genehmigt
x
Personenkreis
Autoren
Marcel Suter, Jürgen Weber
Pruefung
Genehmigung
SG Security
SG PKI Leiter
Verteiler
SG PKI intern
Kontrolle
Wann
14.04.2010
Version
0.1
Wer
SuMa
Beschreibung
Document created
10.05.2010
13.07.2010
0.2
0.3
SuMa
SuMa
Updates
Updates HSM & Slots & Backup/Restore
24.08.2010
25.08.2010
0.4
0.5
SuMa
SuMa
Updates following meeting 23.08.2010
DN qualifier updates
28.10.2010
17.11.2010
0.6
0.7
SuMa
SuMa
Merge suisseID & BP
Fixed typo, added slot list
18.01.2011
19.01.2011
0.8
0.9
SuMa
SuMa
Removed old CA ref, removed appendices, fix pol.
Renamed KPMG alt name.
20.01.2011
27.01.2011
0.10
0.11
SuMa
SuMa
Renamed A CPS user notice.
Shortened CDP/AIA namings.
28.01.2011
01.02.2011
0.12
0.13
SuMa
SuMa
Updated table of content, distribution list.
Updated names.
01.02.2011
08.02.2011
0.14
0.15
SuMa
SuMa
Updated names.
QC alt name update.
11.02.2011
19.04.2012
1.0
1.1
SuMa
SuMa
Visible string + validity update. Finalized version
Enhanced CA 02 (FUB)
https://community.bit.admin.ch/team/Trustcenter-PKI-BIT/Private/Dokumentation SwissGov PKI/Certified PKI/Security und Compliance/Policy Management/0040-RV-CA Layout and
Policies.docx
Policy Layout
Kontrolle
16.09.2013
1.2
SuMa
End User Policies Enhanced CA 01 & Regular CA 01
17.09.2013
08.10.2013
1.3
1.4
SuMa
SuMa
Updated Governikus Policies
Added SPOC Policy
09.10.2013
11.10.2013
1.5
1.6
SuMa
JoPa
Added LRA System
New Policy ID for LRA Windows 7 System
25.10.2013
03.12.2013
1.7
1.8
SuMa
WeJ
Added FUB Class B Policies
Added TSA Qualified Policy Kap. 2.2.14
09.01.2014
24.02.2014
1.9
1.10
SuMa
WeJ
Fixed TSA Qualified Policy Kap. 2.2.14
Added End User Class A (Qualified)
20.03.2014
14.04.2014
1.11
1.12
SuMa
SuMa
Updated OID for ZKV to 2.16.756.1.17.3.22.25
Sedex policy for RaaS
28.04.2014
30.04.2014
1.13
1.14
SuMa
SuMa
Update SSL OID CP text
Added eDOC
01.05.2014
06.06.2014
1.15
1.15
SuMa
WeJ
Added SSL and EV SSL Sub CAs
Added SSL Server Authentication Policy
19.08.2014
1.16
WeJ
06.11.2014
1.17
WeJ
Added SSL Client Authentication Policy
Added SSL Server / Client Authentication Policy
Added OCSP Policy
08.12.2014
22.01.2015
1.18
1.19
WeJ
WeJ
Added Regular Client Auth Policy
Added Regular Group Mailboxes Policy
23.03.2015
24.03.2015
1.20
1.21
WeJ
WeJ
Updated Time Stamping Policy
Added Process Authentication SSO-Portal Policy
26.03.2015
1.22
WeJ
Updated Root CA I policy for FUB
Updated Enhanced CA 02 policy
01.04.2015
23.04.2015
1.23
1.27
JoP
DR
Migration of AdminCA-CD-T01 Policies to Regular
Added DFS/FKR Policy
06.05.2015
11.05.2015
1.28
1.29
SuMa
SuMa
Updated AKI in Enhanced CA 02
Updated Enhanced CA 02 end user CP OIDs
13.05.2015
1.30
SuMa
Updated Enhanced CA 02 end user DN according to reported
FUB info #0000251 (Bug Mantis http://svn-blackhole.bfi.admin.ch:8080/mantis/view.php?id=251)
18.05.2015
1.31
SuMa
Renamed o=FUB with o=VBS in end user Enhanced CA 02 template
09.06.2015
1.32
KH
Added Klasse RegularCA01 certificate policies: Person Auth.
Person Auth/Sign, Person Auth/Sign/Encrypt, Person Sign/Encrypt
12.06.2015
1.33
KH
15.06.2015
1.34
KH
17.06.2015
1.35
KH
19.06.2015
1.36
KH
Removed data encipherment key sage in policies OID
2.16.756.1.17.3.22.41 and 2.16.756.1.17.3.22.42 because it
was not in line with RFC 5280 “4.2.1.3. Key Usage”
Added Klasse RegularCA01 certificate policies: Organization
Auth/Sign, Organization Auth/Sign/Encrypt, Organization
Sign/Encrypt
Added warnings: The usage of certain policies is not recommended due to inappropriate combination of key usages. This
is based on an answer from FUB/IS Krypt dated 16.6.2015.
Added Klasse RegularCA01 certificate policies: System Auth,
System Auth/Sign, System Auth/Sign/Encrypt, System Sign/Encrypt
22.06.2015
23.06.2015
1.37
1.38
WeJ
KH
Extended FUB Policies with behavior attributes
In RegularCA01-Organization-Policies, changed order of O/OU
in the subject.
2/251
Policies.docx
Policy Layout
Kontrolle
15.07.2015
1.39
KH
In RegularCA01-policies Person, Organization, System, issuer,
changed 2.5.4.10 from „Admin“ to “Swiss Government PKI”
23.07.2015
21.08.2015
1.40
1.41
SuMa
WeJ
Updated FUB CDP
Corrected FUB End-Entity CDP
08.12.2015
1.42
WeJ
Added Class C – System Encryption
Added SSL CA 01 – Domain Controller
22.12.2015
02.02.2016
1.43
1.44
Ale
Ale
Added Class D – Organization Signature eSchKG BJ
Added Class D – ElCom
07.02.2016
12.02.2016
1.45
1.46
Ale
WeJ
Updated Class D – Elcom
Updated Class D – ElCom
18.02.2016
1.47
Ale
23.02.2016
1.48
WeJ
Updatet Governikus Timestamp (Core Timestamp Certificate)
Added Governikus Core Signature Certificate
Added Governikus OSCI Transport Encryption Certificate
Added Governikus OSCI Transport Signature Certificate
SSL Policy angepasst (Subject)
04.03.2016
1.49
WeJ
Updated eDoc Policy – o=Admin  o=admin in the subject attribute
29.03.2016
1.50
WeJ
Added Swiss Government Root CA III policy
Added Swiss Government Public Trust Standard CA 02 policy
Added EE CP issued by SG PT ST CA 02 policy
29.03.2016
04.04.2016
1.51
1.52
MetB
WeJ
Added CITES policy
Added Swiss Government Public Trust EV CA 02 policy
Added EE CP issued by SG PT EV CA 02 policy
Added Standard OCSP Responder policy
Added EV OCSP Responder policy
06.04.2016
1.53
MetB
Updated subject for Organization certificates Auth/Enc/Sign
policy
29.04.2016
04.05.2016
1.54
1.55
Pascal Joye
Pascal Joye
Added 2 x code signing (standard & EV)
Korrekturen von SecOffs
3/251
Policies.docx
Kontrolle
10.05.2016
1.56
Policy Layout
Jürgen Weber
* Kap. 2 Swiss Government PKI CA Layout
- Abb. 1 Grafik um Root CA III und SubCAs erweitert
* Kap. 2.1 Naming Conventions
- O=Admin auf O=Swiss Government PKI geändert
- Tabelle 1 CN Particles um Root CA III und SubCAs erweitert
* Kap. 2.4.6 Swiss Government Public Trust Standard CA 02
- Policy korrigiert
* 2.4.6.4 Public Trust Standard OCSP Responder
(2.16.756.1.17.3.62.7)
- keyUsage korrigiert
* bei allen End User Policies
- certificatePolicies korrigiert
* 2.4.8.2
Public Trust Standard Code Signing OCSP Responder (2.16.756.1.17.3.62.11)
- neu erstellt
11.05.2016
1.57
Jürgen Weber
* 2.4.9.2
Public Trust EV Code Signing OCSP Responder
(2.16.756.1.17.3.62.12)
- neu erstellt
Added subjectAltName to all ocsp policies
4/251
Policies.docx
Policy Layout
Content
1
Purpose
7
2
Swiss Government PKI CA Layout
7
2.1
2.2
Naming Conventions ...................................................................................................... 8
Root CA Policies ............................................................................................................. 9
Swiss Government Root CA I .................................................................................................................................... 9
Swiss Government Root CA II ................................................................................................................................. 11
Swiss Government Root CA III (2.16.756.1.17.3.61.0) ............................................................................................ 13
2.3
Issuing CA Policies ........................................................................................................ 15
Swiss Government Enhanced CA 01 ....................................................................................................................... 15
Swiss Government SuisseID Authentication CA 01................................................................................................. 21
Swiss Government Qualified CA 01 ........................................................................................................................ 23
Swiss Government Regular CA 01 .......................................................................................................................... 26
Swiss Government SSL CA 01 ................................................................................................................................. 29
Swiss Government EV SSL CA 01 ............................................................................................................................ 32
Swiss Government Public Trust Standard CA 02 (2.16.756.1.17.3.61.1) ................................................................ 35
Swiss Government Public Trust EV CA 02 (2.16.756.1.17.3.61.2)........................................................................... 38
Swiss Government Public Trust Code Signing Standard CA 02 (2.16.756.1.17.3.61.3) ........................................... 41
Swiss Government Public Trust Code Signing EV CA 02 (2.16.756.1.17.3.61.4) ..................................................... 44
2.4
2.4.1.1
2.4.1.1.1
2.4.1.1.2
2.4.1.1.3
2.4.2.1
2.4.2.1.1
2.4.2.1.2
2.4.2.1.3
2.4.2.1.4
2.4.2.1.5
2.4.3.1
2.4.3.1.1
2.4.3.1.2
2.4.3.1.3
2.4.3.2
2.4.3.2.1
2.4.3.2.2
2.4.3.2.3
2.4.4.1
2.4.4.1.1
2.4.4.1.2
2.4.4.1.3
2.4.4.1.4
2.4.4.1.5
2.4.4.1.6
End Entity Policies ........................................................................................................ 48
Class B – Standard ............................................................................................................................................... 48
Authentication ................................................................................................................................................. 48
Digital Signature ............................................................................................................................................... 51
Encryption ........................................................................................................................................................ 54
Swiss Government Qualified CA 01 ........................................................................................................................ 57
Class A Qualified Digital Signature....................................................................................................................... 57
Person .............................................................................................................................................................. 57
FreeDN ............................................................................................................................................................. 60
FreeDN pre-assigned ........................................................................................................................................ 60
SHAB Archive Signer ......................................................................................................................................... 60
Time Stamp Signer (Luna SA) ........................................................................................................................... 60
Swiss Government Enhanced CA02 ........................................................................................................................ 63
Class B – Pre-staged (FUB) ................................................................................................................................... 63
Authentication ................................................................................................................................................. 63
Encryption ........................................................................................................................................................ 72
Class B pre-staged (BV)........................................................................................................................................ 76
Authentication ................................................................................................................................................. 76
Encryption ........................................................................................................................................................ 82
Swiss Government Regular CA 01 .......................................................................................................................... 85
Class C : Standard Products ................................................................................................................................. 85
Group Mailbox ................................................................................................................................................. 85
Person Authentication ..................................................................................................................................... 88
Person Authentication/Signature ..................................................................................................................... 90
Person Authentication/Signature/Encryption .................................................................................................. 93
Person Signature/Encryption ........................................................................................................................... 96
Organization Authentication ............................................................................................................................ 99
5/251
Policies.docx
2.4.4.1.7
2.4.4.1.8
2.4.4.1.9
2.4.4.1.10
2.4.4.1.11
2.4.4.1.12
2.4.4.1.13
2.4.4.1.14
2.4.4.1.15
2.4.4.2
2.4.4.2.1
2.4.4.2.2
2.4.4.2.3
2.4.4.2.4
2.4.4.2.5
2.4.4.2.6
2.4.4.2.7
2.4.4.2.8
2.4.4.2.9
2.4.4.2.10
2.4.4.2.11
2.4.4.2.12
2.4.4.2.13
2.4.4.2.14
2.4.4.2.15
2.4.4.2.16
2.4.4.2.17
2.4.4.2.18
2.4.4.2.19
2.4.4.2.20
2.4.5.1
2.4.5.2
2.4.5.3
2.4.5.4
2.4.5.5
2.4.5.6
2.4.6.1
2.4.6.2
2.4.6.3
2.4.6.4
2.4.7.1
2.4.7.2
2.4.7.3
2.4.7.4
2.4.8.1
2.4.8.2
2.4.9.1
2.4.9.2
Policy Layout
Organization Authentication/Signature ......................................................................................................... 102
Organization Authentication/Signature/Encryption ...................................................................................... 105
Organization Signature/Encryption ................................................................................................................ 108
System Authentication ................................................................................................................................... 111
System Authentication/Signature .................................................................................................................. 114
System Authentication/Signature/Encryption ............................................................................................... 117
System Signature/Encryption ......................................................................................................................... 119
System Signature ............................................................................................................................................ 122
System Encryption.......................................................................................................................................... 125
Class D : Customer specific Policies ................................................................................................................... 128
Client Authentication ..................................................................................................................................... 128
Process Authentication EJPD SSO-Portal ........................................................................................................ 131
Governikus Core Signature Certificate ........................................................................................................... 134
Governikus OSCI Transport Encryption Certificate ......................................................................................... 137
Governikus OSCI Transport Signature Certificate ........................................................................................... 140
Governikus Core Timestamp Certificate......................................................................................................... 143
ZKV ................................................................................................................................................................. 145
SEDEX ............................................................................................................................................................. 148
eDOC .............................................................................................................................................................. 151
SPOC Server .................................................................................................................................................... 154
SPOC Client ..................................................................................................................................................... 157
LRA Station System......................................................................................................................................... 160
DFS / FKR - Digitaler Fahrtschreiber - DFS-CA Operator ................................................................................. 163
DFS / FKR - Digitaler Fahrtschreiber - DFS-CA Service Administrator ............................................................. 166
DFS / FKR - Digitaler Fahrtschreiber - DFS-CA ................................................................................................ 169
DFS / FKR - Digitaler Fahrtschreiber - DFS-CIA ............................................................................................... 171
DFS / FKR - Digitaler Fahrtschreiber - DFS-CP ................................................................................................. 174
Organization Signature eSchKG BJ ................................................................................................................. 177
ElCom ............................................................................................................................................................. 180
CITES System Authentication/Signature/Encryption ...................................................................................... 183
Swiss Government SSL CA 01 ............................................................................................................................... 186
SSL Server Authentication ................................................................................................................................. 186
SSL Client Authentication .................................................................................................................................. 189
SSL Server / Client Authentication..................................................................................................................... 192
OCSP Responder ................................................................................................................................................ 195
CodeSigning ....................................................................................................................................................... 197
Domain Controller ............................................................................................................................................. 201
Swiss Government Public Trust Standard CA 02 .................................................................................................. 206
Public Trust Standard Server Authentication (2.16.756.1.17.3.62.1) ................................................................ 206
Public Trust Standard Client Authentication (2.16.756.1.17.3.62.2) ................................................................. 209
Public Trust Standard Server/Client Authentication (2.16.756.1.17.3.62.3) ..................................................... 212
Public Trust Standard OCSP Responder (2.16.756.1.17.3.62.7) ........................................................................ 215
Swiss Government Public Trust EV CA 02 ............................................................................................................. 218
Public Trust EV Server Authentication (2.16.756.1.17.3.62.4) .......................................................................... 218
Public Trust EV Client Authentication (2.16.756.1.17.3.62.5) ........................................................................... 221
Public Trust EV Server/Client Authentication (2.16.756.1.17.3.62.6) ............................................................... 225
Public Trust EV OCSP Responder (2.16.756.1.17.3.62.8) ................................................................................... 228
Swiss Government Public Trust Codesigning Standard CA 02 .............................................................................. 231
Public Trust Standard Code Signing (2.16.756.1.17.1.3.62.9)............................................................................ 231
Public Trust Standard Code Signing OCSP Responder (2.16.756.1.17.3.62.11) ................................................. 235
Swiss Government Public Trust Codesigning EV CA 02 ........................................................................................ 238
Public Trust EV Code Signing (2.16.756.1.17.3.62.10) ....................................................................................... 238
Public Trust EV Code Signing OCSP Responder (2.16.756.1.17.3.62.12) ........................................................... 242
OBSOLETE ............................................................................................................................................................. 245
6/251
Policies.docx
2.4.10.1
2.4.10.2
Policy Layout
SSL Web Server - Swiss Government Regular CA 01.......................................................................................... 245
System - Swiss Government Regular CA 01 ....................................................................................................... 248
1 Purpose
The purpose of this document is to define the new Root and SubCA certificate policies and chaining layout. It is assumed
that the reader is familiar with the Swiss Government PKI environment.
2 Swiss Government PKI CA Layout
The renewal of the new Root and Sub CAs gets rid of the obsolete hashing and signing algorithm in addition to:.







The obsolete hashing and signing algorithm SHA1 with RSAEncryption get replaced with the
sha256WithRSAWithEncryption Signature, for all new Root and sub CAs
The keys sizes of the CA and SubCAs get all pumped up to 4096 bit
All the SWKP HSM get phased out and replaced with SafeNet HW
All encoding rules for naming conventions (issuer and subject) implement the ASN.1 UTF8String as defined in
X509:2005
Renaming of the CA instances to reflect new naming convention.
Obsolete X500 names in CDP get dropped. LDAP/URL/OCSP URIs get used in place.
AIA extension get introduced for SubCAs
Abbildung 1 Renewed PKI Layout
Swiss Government Root CA I
RSA 4096 / SHA256
PathLength = -1
Swiss Government EnhancedCA 01
RSA 4096 / SHA256
PathLength = 0
Swiss Government SuisseID
Authentication CA 01
RSA 4096 / SHA256
PathLength = 0
Swiss Government Qualified CA 01
RSA 4096 / SHA256
PathLength = 0
Swiss Government Enhanced CA 02
RSA 4096 / SHA256
PathLength = 0
Swiss Government Root CA II
RSA 4096 / SHA256
PathLength = -1
Swiss Government Regular CA 01
RSA 4096 / SHA256
PathLength = 0
Swiss Government EV SSL CA 01
RSA 4096 / SHA256
PathLength = 0
Swiss Government SSL CA 01
RSA 4096 / SHA256
PathLength = 0
Swiss Government Root CA III
RSA 4096 / SHA256
PathLength = -1
Swiss Government
Public Trust Standard CA 02
RSA 4096 / SHA256
PathLength = 0
Swiss Government
Public Trust EV CA 02
RSA 4096 / SHA256
PathLength = 0
Swiss Government
Public Trust Code Signing Standard CA 02
RSA 4096 / SHA256
PathLength = 0
Swiss Government
Public Trust Code Signing EV CA 02
RSA 4096 / SHA256
PathLength = 0
7/251
Policies.docx
Policy Layout
2.1 Naming Conventions
The CA and sub CA Subject Distinguished Names are defined as in:
Common Root:
C
= CH
O
= Swiss Government PKI
OU
= Services
OU
= Certification Authorities
CN
= Swiss Government <<Specifics>>, where <<Specifics>> is replaced with
Tabelle 1 CN Particles
CN particle in <<TBD>>
Root CA I
Root CA II
Class
Obsoletes
New Root CA Classes A & B
New Root CA Classes C & D
AdminRootCA
New
Root CA III
Qualified CA 01
New Root CA Class C (Public Trust)
New Issuing CA Class A
New
AdminCA-A-T01
Enhanced CA 01
Enhanced CA 02
New Issuing CA Class B
New Issuing FUB CA
Admin-CA3
New
Regular CA 01
SuisseID Authentication CA 01
New Issuing Class C & D
New Issuing CA SuisseID
AdminCA-CD-T01
AdminCA-BsID-T01
Public Trust Standard CA 02
Public Trust EV CA 02
New Issuing CA Class C (Public Trust)
New
New
Public Trust Code Signing Standard CA 02
Public Trust Code Signing EV CA 02
New
New
8/251
Policies.docx
Eidgenössisches Finanzdepartement EFD
Bundesamt für Informatik und Telekommunikation BIT
Betrieb
Betrieb Frontend Services
PKI
2.2 Root CA Policies
Swiss Government Root CA I
Verwendungszweck:
tdb
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
sha256WithRSASignature
parameters
NULL
signatureAlgorithm
signature
4096 bit
4096 bit BIT STRING
version
2
Version MUST be 3 (value is 2)
issuer
2.5.4.6:CH
2.5.4.10: The Federal Authorities of the Swiss Confederation
2.5.4.11:Services
2.5.4.11:Certification Authorities
2.5.4.3:Swiss Government Root CA I
PrintableString, directoryName
notBefore
“110215090000Z”
UTC TIME, ETSI TS 102 280
notAfter
“350215085959Z”
2.5.4.6:CH
2.5.4.11:Services
TBSCertificate
validity
subject
https://community.bit.admin.ch/team/Trustcenter-PKI-BIT/Private/Dokumentation SwissGov PKI/Certified PKI/Security und Compliance/Policy Management/0040-RV-CA Layout and Policies.docx
X.509 Field
Policy Layout
OIDs/Values
Comments
subjectPublicKeyInfo
algorithm
1.2.840.113549.1.1.1
rsaEncryption
parameters
NULL,
subjectPublicKey
4096 bit
BIT STRING 4096 bit
extnId
2.5.29.35
DN + Cert Serial
extnValue
160 bit
OCTET STRING, 160 bit SHA1 of root subjectPublicKey BIT STRING + authority DN
Extensions
authorityKeyIdentifier
subjectKeyIdentifier
extnId
2.5.29.14
extnValue
160 bit
OCTET STRING, 160 bit SHA1 BIT STRING
keyUsage
extnId
2.5.29.15
critical
TRUE
BOOLEAN
extnValue
RFC 5280
digitalSignature
0
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
1
cRLSign
1
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
2.5.29.32
extnValue
1.3.6.1.5.5.7.2.1: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf
PKIX CPS Pointer Qualifier, IA5String, id-qt-cps RFC 5280
1.3.6.1.5.5.7.2.2: This is the Swiss Government Root CA I CPS
PKIX policy qualifier unotice, VisibleString, id-qt-unotice RFC 5280
10/251
X.509 Field
Policy Layout
OIDs/Values
Comments
crlDistributionPoints
extnId
2.5.29.31
extnValue
ldap://admindir.admin.ch:389/cn=Swiss Government Root CA I,ou=Certification Authorities,ou=Services,o=Admin,c=CH
ldap uri IA5String for CA Swiss GovernmentRoot CA I CDPs
basicConstraints
extnId
2.5.29.19
critical
TRUE
BOOLEAN
extnValue
cA TRUE
BOOLEAN
pathLenConstraint
-1
INTEGER, indefinite child CA
Swiss Government Root CA II
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
4096 bit
4096 bit BIT STRING
version
2
serialNumber
xxxxx
Unique, random positive integer
issuer
2.5.4.6:CH
2.5.4.10:The Federal Authorities of the Swiss Confederation
2.5.4.11:Services
2.5.4.3:Swiss Government Root CA II
“110216090000Z”
TBSCertificate
validity
notBefore
11/251
X.509 Field
Policy Layout
OIDs/Values
Comments
“350216085959Z”
2.5.4.6:CH
2.5.4.11:Services
algorithm
1.2.840.113549.1.1.1
rsaEncryption
parameters
NULL
subjectPublicKey
4096 bit
BIT STRING 4096 bit
extnId
2.5.29.35
DN + Cert Serial
extnValue
160 bit
OCTET STRING, 160 bit SHA1 of BIT STRING
notAfter
subject
Extensions
extnId
2.5.29.14
extnValue
160 bit
keyUsage
extnId
2.5.29.15
critical
TRUE
BOOLEAN
‘000001100’B
RFC 5280
extnValue
digitalSignature
0
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
1
cRLSign
1
encipherOnly
0
decipherOnly
0
12/251
X.509 Field
Policy Layout
OIDs/Values
Comments
2.5.29.32,
1.3.6.1.5.5.7.2.1: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf
PKIX CPS Pointer Qualifier, IA5String, id-qt-cps RFC 5280
1.3.6.1.5.5.7.2.2: This is the Swiss Government Root CA II CPS
PKIX policy qualifier unotice, VisibleString, id-qt-unotice RFC 5280
certificatePolicies
extnId
extnValue
extnId
2.5.29.31
extnValue
ldap://admindir.admin.ch:389/cn=Swiss Government Root CA II, ou=Certification
Authorities,ou=Services,o=Admin,c=CH
ldap uri IA5String CA Swiss Government Root CA II CDPs
basicConstraints
extnId
2.5.29.19
critical
TRUE
BOOLEAN
extnValue
cA TRUE
BOOLEAN
pathLenConstraint
-1
Swiss Government Root CA III (2.16.756.1.17.3.61.0)
Verwendungszweck:
SSL Root CA III
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
4096 bit
4096 bit BIT STRING
version
2
serialNumber
xxxxx
Unique, random positive integer with 20-bit entropy according to Baseline Requirements
TBSCertificate
13/251
Policy Layout
X.509 Field
OIDs/Values
Comments
issuer
2.5.4.6:CH
2.5.4.10:Swiss Government PKI
2.5.4.11:www.pki.admin.ch
2.5.4.3:Swiss Government Root CA III
notBefore
“110216090000Z”
notAfter
“350216085959Z”
2.5.4.6:CH
algorithm
1.2.840.113549.1.1.1
rsaEncryption
parameters
NULL
subjectPublicKey
4096 bit
BIT STRING, 4096 Bit
extnId
2.5.29.35
DN + Cert Serial
extnValue
160 bit
validity
subject
Extensions
extnId
2.5.29.14
extnValue
160 bit
keyUsage
extnId
2.5.29.15
critical
TRUE
BOOLEAN
extnValue
‘000001100’B
RFC 5280
digitalSignature
0
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
14/251
X.509 Field
Policy Layout
OIDs/Values
keyAgreement
0
keyCertSign
1
cRLSign
1
encipherOnly
0
decipherOnly
0
certificatePolicies
Comments
NOT SET
extnId
extnValue
NOT SET
extnId
extnValue
basicConstraints
extnId
2.5.29.19
critical
TRUE
BOOLEAN
extnValue
cA TRUE
BOOLEAN
pathLenConstraint
-1
2.3 Issuing CA Policies
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
1.2.840.113549.1.1.11
signatureAlgorithm
algorithm
15/251
X.509 Field
parameters
signature
Policy Layout
OIDs/Values
Comments
NULL
4096 bit
4096 bit BIT STRING
version
2
serialNumber
xxxxx
issuer
2.5.4.6:CH
2.5.4.11:Services
UTF8String, directoryName
notBefore
“110215090000Z”
notAfter
“250215085959Z”
2.5.4.6:CH
2.5.4.10:Admin
2.5.4.11:Services
2.5.4.3:Swiss Government Enhanced CA 01
algorithm
1.2.840.113549.1.1.1
rsaEncryption
parameters
NULL
subjectPublicKey
4096 bit
BIT STRING 4096 bit
extnId
2.5.29.35
DN +Cert Serial
extnValue
160 bit
OCTET STRING, 160 bit0 SHA1 of BIT STRING
TBSCertificate
validity
subject
Extensions
extnId
2.5.29.14
extnValue
160 bit
keyUsage
extnId
2.5.29.15
16/251
X.509 Field
Policy Layout
OIDs/Values
Comments
critical
TRUE
BOOLEAN
extnValue
‘000001100’B
keyCertSign (bit 5), cRLSign (bit 6)
digitalSignature
0
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
1
cRLSign
1
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
2.5.29.32
extnValue
2.16.756.1.17.3.1.0
extnId
1.3.6.1.5.5.7.2.2
PKIX policy qualifier unotice
extnValue
This is the Swiss Government Root CA I CPS,
VisibleString, id-qt-unotice RFC 3280
extnId
1.3.6.1.5.5.7.2.1,
PKIX CPS Pointer Qualifier
extnValue
http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf,
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA TRUE,
BOOLEAN
pathLenConstraint
0,
INTEGER, no child CA
extnId
2.5.29.31,
extnValue
http://www.pki.admin.ch/crl/RootCAI.crl
ldap://admindir.admin.ch:389/cn=Swiss Government Root CA I, ou=Certification
Authorities,ou=Services,o=Admin,c=CH,
uri IA5String
ldap uri IA5String
CA Swiss Government Root CA I CDPs
authorityInfoAccess
SEQUENCE
17/251
Policy Layout
X.509 Field
OIDs/Values
Comments
extnId
1.3.6.1.5.5.7.1.1,
Certificate Authority Information Access, OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
http://www.pki.admin.ch/aia/RootCAI.crt
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
http://www.pki.admin.ch/aia/ocsp ,
uri IA5String
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
Signature
4096 bit
4096 bit BIT STRING
version
2
serialNumber
xxxxx
issuer
2.5.4.6:CH
2.5.4.11:Services
“XXXXXXXX0000Z”,
TBSCertificate
validity
notBefore
18/251
X.509 Field
Policy Layout
OIDs/Values
Comments
“XXXXXXXX5959Z”,
2.5.4.6:CH
2.5.4.10:Admin
2.5.4.11:Services
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
4096 bit
BIT STRING 4096 bit
extnId
2.5.29.35,
DN +Cert Serial
extnValue
…..,
OCTET STRING, 160 bit0 SHA1 of BIT STRING (not including S/N and GN)
notAfter
subject
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
‘000001100,
certSign, crlSign
digitalSignature
0
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
1
cRLSign
1
encipherOnly
0
decipherOnly
0
19/251
Policy Layout
X.509 Field
OIDs/Values
Comments
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.1.0,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA TRUE,
BOOLEAN
pathLenConstraint
0
extnId
2.5.29.31,
extnValue
http://www.technical-pki.admin.ch/crl/RootCAI.crl,
Authorities,ou=Services,o=Admin,c=CH ,
uri IA5String
ldap uri IA5String
authorityInfoAccess
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
20/251
Policy Layout
Swiss Government SuisseID Authentication CA 01
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
4096 bit
4096 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.11:Services
TBSCertificate
validity
notBefore
“110215090000Z”,
notAfter
“250215085959Z”,
2.5.4.6:CH
2.5.4.10:Admin
2.5.4.11:Services
subject
2.5.4.3:Swiss Government SuisseID Authentication CA 01
algorithm
1.2.840.113549.1.1.1,
parameters
NULL,
subjectPublicKey
rsaEncryption
…..,
BIT STRING 4096 bit
Extensions
21/251
X.509 Field
Policy Layout
OIDs/Values
Comments
extnId
2.5.29.35,
DN +Cert Serial
extnValue
…..,
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
‘000001100,
certSign, crlSign
digitalSignature
0
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
1
cRLSign
1
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.1.0,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
22/251
Policy Layout
X.509 Field
OIDs/Values
Comments
extnValue
cA TRUE,
BOOLEAN
pathLenConstraint
0,
INTEGER, 0 child CA
extnId
2.5.29.31,
extnValue
uri IA5String
ldap uri IA5String
authorityInfoAccess
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
http://www.pki.admin.ch/aia/ocsp,
uri IA5String
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
4096 bit
4096 bit BIT STRING
TBSCertificate
23/251
Policy Layout
X.509 Field
OIDs/Values
Comments
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.11:Services
notBefore
“110215090000Z”,
notAfter
“250215085959Z”,
2.5.4.6:CH
2.5.4.10:Admin
2.5.4.11:Services
validity
subject
2.5.4.3:Swiss Government Qualified CA 01
algorithm
1.2.840.113549.1.1.1,
parameters
NULL,
rsaEncryption
subjectPublicKey
…..,
BIT STRING 4096 bit
extnId
2.5.29.35,
DN + Cert Serial
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
‘000001100,
certSign, crlSign
24/251
X.509 Field
Policy Layout
OIDs/Values
digitalSignature
0
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
1
cRLSign
1
encipherOnly
0
decipherOnly
0
Comments
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.1.0,
extnId
extnValue
1.3.6.1.5.5.7.2.2,
O=ZertES Recognition Body: KPMG AG,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
extnId
2.5.29.18,
extnValue
O=ZertES Recognition Body: KPMG AG,
issuerAltName
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA TRUE,
BOOLEAN
pathLenConstraint
0,
extnId
2.5.29.31,
extnValue
ldap://admindir.admin.ch:389/cn=Swiss Government Root CA I,ou=Certification
uri IA5String
ldap uri IA5String CA inherits CDPs
25/251
Policy Layout
X.509 Field
OIDs/Values
Comments
authorityInfoAccess
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
qcStatments
etxnId
1.3.6.1.5.5.7.1.3,
critical
FLASE
BOOLEAN
extnValue
SEQUENCE OF
OCTET STRING
QCStatment
statmentId
SEQUENCE
0.4.0.1862.1.1
qcs-Qccompliance
etxnId
2.5.29.18,
extnValue
O=ZertES Recognition Body: KPMG AG
issuerAltName
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
26/251
Policy Layout
X.509 Field
OIDs/Values
Comments
signature
4096 bit
4096 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.11:Services
TBSCertificate
validity
notBefore
“110216090000Z”,
notAfter
“250216085959Z”,
2.5.4.6:CH
2.5.4.10:Admin
2.5.4.11:Services
subject
2.5.4.3:Swiss Government Regular CA 01
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 4096 bit
extnId
2.5.29.35,
DN +Cert Serial
extnValue
…..,
OCTET STRING, 160 bit SHA1 ofBIT STRING
Extensions
extnId
2.5.29.14
extnValue
…..,
OCTET STRING, 160 bit SHA1 of self subjectPublicKey BIT STRING
keyUsage
extnId
2.5.29.15,
27/251
X.509 Field
Policy Layout
OIDs/Values
Comments
critical
TRUE,
BOOLEAN
extnValue
‘000001100,
certSign, crlSign
digitalSignature
0
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
1
cRLSign
1
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3.21.1,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Root CA II CPS,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA TRUE,
BOOLEAN
pathLenConstraint
0,
extnId
2.5.29.31,
extnValue
http://www.pki.admin.ch/crl/RootCAII.crl
ldap://admindir.admin.ch:389/cn=Swiss Government Root CA II,ou=Certification
uri IA5String
authorityInfoAccess
SEQUENCE
28/251
Policy Layout
X.509 Field
OIDs/Values
Comments
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
http://www.pki.admin.ch/aia/RootCAII.crt
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
4096 bit
4096 bit BIT STRING
version
2
This field describes the version of the encoded certificate. When
extensions are used, as expected in this profile, version MUST be 3
(value is 2).
serialNumber
Random
The serial number MUST be a positive integer assigned by the CA to
each certificate. It MUST be unique for each certificate issued by a
given CA. CAs MUST force the serialNumber to be a non-negative
integer.
TBSCertificate
signature
29/251
X.509 Field
algorithm
Policy Layout
OIDs/Values
Comments
1.2.840.113549.1.1.11: sha256WithRSASignature
This field contains the algorithm identifier for the algorithm used
by the CA to sign the certificate.
This field MUST contain the same algorithm identifier as the
signatureAlgorithm field in the sequence Certificate. The contents of
the optional parameters field will vary according to the algorithm
identified.
parameters
NULL,
2.5.4.6:CH
2.5.4.11:Services
The issuer field identifies the entity that has signed and issued the
certificate. The issuer field MUST contain a non-empty distinguished
name (DN).
notBefore
“140515090000Z”,
notAfter
“280515085959Z”,
The subject field identifies the entity associated with the public key
stored in the subject public key field. The subject name MAY be carried
in the subject field and/or the subjectAltName extension. If the subject
is a CA, then the subject field MUST be populated with a non-empty
distinguished name matching the contents of the issuer field in all
certificates issued by the subject CA.
issuer
validity
subject
2.5.4.6:CH
2.5.4.11:Services
2.5.4.3:Swiss Government SSL CA 01
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 4096 bit
extnId
2.5.29.35,
DN +Cert Serial
extnValue
…..,
Extensions
30/251
X.509 Field
Policy Layout
OIDs/Values
Comments
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
‘000001100,
certSign, crlSign
extnValue
digitalSignature
0
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
1
cRLSign
1
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3.21.2,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
The purpose of this subordinate CA is for SSL server issuance only.,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA TRUE,
BOOLEAN
pathLenConstraint
0,
31/251
Policy Layout
X.509 Field
OIDs/Values
extnId
2.5.29.31,
extnValue
http://www.pki.admin.ch/crl/SSLCA01.crl
ldap://admindir.admin.ch:389/cn=Swiss Government SSL CA 01,ou=Certification
Comments
uri IA5String
authorityInfoAccess
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
http://www.pki.admin.ch/aia/SSLCA01.crt
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
Swiss Government EV SSL CA 01
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
4096 bit
4096 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
TBSCertificate
signature
32/251
X.509 Field
Policy Layout
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL,
issuer
2.5.4.6:CH
2.5.4.11:Services
notBefore
“140515090000Z”,
notAfter
“280515085959Z”,
2.5.4.6:CH
2.5.4.11:Services
validity
subject
2.5.4.3:Swiss Government EV SSL CA 01
algorithm
1.2.840.113549.1.1.1,
parameters
NULL,
rsaEncryption
subjectPublicKey
…..,
BIT STRING 4096 bit
extnId
2.5.29.35,
DN +Cert Serial
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
‘000001100,
certSign, crlSign
33/251
X.509 Field
Policy Layout
OIDs/Values
digitalSignature
0
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
1
cRLSign
1
encipherOnly
0
decipherOnly
0
Comments
certificatePolicies
extnId
extnValue
extnId
2.5.29.32,
anyPolicy
2.16.756.1.17.3.21.3,
1.3.6.1.5.5.7.2.2,
extnValue
The purpose of this subordinate CA is for EV SSL server issuance only.,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA TRUE,
BOOLEAN
0,
pathLenConstraint
extnId
2.5.29.31,
extnValue
http://www.pki.admin.ch/crl/RootCAII.crl
ldap://admindir.admin.ch:389/cn=Swiss Government EV SSL CA 01,ou=Certification
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
34/251
Policy Layout
X.509 Field
OIDs/Values
accessDescription
Comments
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
http://www.pki.admin.ch/aia/EVSSLCA01.crt
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
Swiss Government Public Trust Standard CA 02 (2.16.756.1.17.3.61.1)
Verwendungszweck:
Issuing CA: Swiss Government Public Trust Standard CA 02
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
algorithm
4096 bit
4096 bit BIT STRING
identified.
parameters
NULL,
TBSCertificate
version
2
(value is 2).
35/251
Policy Layout
X.509 Field
OIDs/Values
Comments
serialNumber
20-Bit entropy
issuer
2.5.4.6:CH
integer with 20-bit entropy according to Baseline Requirements.
name (DN).
validity
notBefore
“140515090000Z”,
notAfter
“280515085959Z”,
subject
2.5.4.6:CH
2.5.4.11:Services
2.5.4.3:Swiss Government Public Trust Standard CA 02
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 4096 bit
extnId
2.5.29.35,
DN +Cert Serial
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
36/251
X.509 Field
Policy Layout
OIDs/Values
Comments
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
‘000001100,
certSign, crlSign
extnValue
digitalSignature
0
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
1
cRLSign
1
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
2.5.29.32,
critical
TRUE
extnValue
2.16.756.1.17.3.61.1,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
extnId
1.3.6.1.5.5.7.2.2,
extnValue
Reliance on the SG Root CA III Certificate by any party assumes acceptance of the then
applicable standard terms and conditions of use and the SG Root CA III CPS,
BR 1.3.3 Chap. 7.1.2.2 a.
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA TRUE,
BOOLEAN
pathLenConstraint
0,
extnId
2.5.29.31,
extnValue
http://www.pki.admin.ch/crl/RootCAIII.crl
uri IA5String
37/251
Policy Layout
X.509 Field
OIDs/Values
Comments
ldap://admindir.admin.ch:389/cn=Swiss Government Root CA III,ou=Certification
ldap uri IA5String CA CDPs
authorityInfoAccess
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
http://www.pki.admin.ch/aia/RootCAIII.crt
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
Swiss Government Public Trust EV CA 02 (2.16.756.1.17.3.61.2)
Verwendungszweck:
Issuing CA: Swiss Government Public Trust EV CA 02
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
algorithm
4096 bit
4096 bit BIT STRING
identified.
38/251
X.509 Field
parameters
Policy Layout
OIDs/Values
Comments
NULL,
TBSCertificate
version
2
(value is 2).
serialNumber
xxxxx
issuer
2.5.4.6:CH
integer with 20-bit entropy according to Baseline Requirements
name (DN).
validity
notBefore
“140515090000Z”,
notAfter
“280515085959Z”,
subject
2.5.4.6:CH
2.5.4.11:Services
2.5.4.3:Swiss Government Public Trust EV CA 02
algorithm
1.2.840.113549.1.1.1,
parameters
NULL,
rsaEncryption
subjectPublicKey
…..,
BIT STRING 4096 bit
2.5.29.35,
DN +Cert Serial
Extensions
extnId
39/251
X.509 Field
extnValue
Policy Layout
OIDs/Values
Comments
…..,
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
‘000001100,
certSign, crlSign
digitalSignature
0
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
1
cRLSign
1
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
2.5.29.32,
anyPolicy
extnValue
2.16.756.1.17.3.61.2,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA TRUE,
BOOLEAN
40/251
Policy Layout
X.509 Field
OIDs/Values
Comments
pathLenConstraint
0,
extnId
2.5.29.31,
extnValue
uri IA5String
authorityInfoAccess
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
Swiss Government Public Trust Code Signing Standard CA 02 (2.16.756.1.17.3.61.3)
Verwendungszweck:
Issuing CA: Swiss Government Public Trust Code Signing Standard CA 02
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
algorithm
4096 bit
4096 bit BIT STRING
41/251
X.509 Field
Policy Layout
OIDs/Values
Comments
identified.
parameters
NULL,
TBSCertificate
version
2
(value is 2).
serialNumber
Random
issuer
2.5.4.6:CH
name (DN).
validity
notBefore
“yymmddhhmmssZ”,
notAfter
UTC TIME, ETSI TS 102 280 (14 years)
subject
2.5.4.6:CH
2.5.4.11:Services
2.5.4.3:Swiss Government Public Trust Code Signing Standard CA 02
algorithm
1.2.840.113549.1.1.1,
parameters
NULL,
rsaEncryption
42/251
X.509 Field
Policy Layout
OIDs/Values
Comments
…..,
BIT STRING 4096 bit
extnId
2.5.29.35,
DN +Cert Serial
extnValue
…..,
subjectPublicKey
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
‘000001100,
certSign, crlSign
digitalSignature
0
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
1
cRLSign
1
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
2.5.29.32,
critical
TRUE
extnValue
2.16.756.1.17.3.61.3,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
extnId
1.3.6.1.5.5.7.2.2,
BR 1.3.3 Chap. 7.1.2.2 a.
IA5String, cps
43/251
Policy Layout
X.509 Field
extnValue
OIDs/Values
Comments
Reliance on the SG Root CA III Certificate by any party assumes acceptance of the
applicable standard terms and conditions of use and the SG Root CA III CPS
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA TRUE,
BOOLEAN
pathLenConstraint
0,
extnId
2.5.29.31,
extnValue
ldap://admindir.admin.ch:389/cn=Swiss Government Root CA III, ou=Certification
uri IA5String
authorityInfoAccess
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
Swiss Government Public Trust Code Signing EV CA 02 (2.16.756.1.17.3.61.4)
Verwendungszweck:
Issuing CA: Swiss Government Public Trust Code Signing EV CA 02
44/251
X.509 Field
Policy Layout
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
algorithm
4096 bit
4096 bit BIT STRING
identified.
parameters
NULL,
TBSCertificate
version
2
(value is 2).
serialNumber
xxxxx
issuer
2.5.4.6:CH
name (DN).
validity
subject
notBefore
notAfter
2.5.4.6:CH
2.5.4.11:Services
45/251
X.509 Field
Policy Layout
OIDs/Values
Comments
2.5.4.3:Swiss Government Public Trust Code Signing EV CA 02
algorithm
1.2.840.113549.1.1.1,
parameters
NULL,
rsaEncryption
subjectPublicKey
…..,
BIT STRING 4096 bit
extnId
2.5.29.35,
DN +Cert Serial
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
‘000001100,
certSign, crlSign
extnValue
digitalSignature
0
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
1
cRLSign
1
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
2.5.29.32,
anyPolicy
46/251
Policy Layout
X.509 Field
OIDs/Values
extnValue
2.16.756.1.17.3.61.4,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
applicable standard terms and conditions of use and the SG Root CA III CPS
extnId
1.3.6.1.5.5.7.2.1,
extnValue
Comments
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA TRUE,
BOOLEAN
0,
pathLenConstraint
extnId
2.5.29.31,
extnValue
uri IA5String
authorityInfoAccess
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
http://www.pki.admin.ch/aia/ocsp,
uri IA5String
47/251
Policy Layout
2.4 End Entity Policies
2.4.1.1
Class B – Standard
2.4.1.1.1 Authentication
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
TBSCertificate
validity
subject
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.10:Admin
2.5.4.11:Weisse Seiten
48/251
X.509 Field
Policy Layout
OIDs/Values
Comments
2.5.4.3:Last First Hash
algorithm
1.2.840.113549.1.1.1,
parameters
NULL,
subjectPublicKey
rsaEncryption
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
7 unused bits ‘1’B (bit 0) ,
Digital Signature
extnValue
digitalSignature
1
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.2.15,
extnId
1.3.6.1.5.5.7.2.2,
49/251
Policy Layout
X.509 Field
OIDs/Values
Comments
extnValue
This is the Swiss Government Enhanced CA 01 CPS for end users,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
Critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
http://www.pki.admin.ch/crl/EnhancedCA01.crl
ldap://admindir.admin.ch:389/cn=Swiss Government Enhanced CA 01,ou=Certification
authorityInfoAccess
uri IA5String
ldap uri IA5String CA Swiss Government Enhanced CA 01 CDPs
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
http://www.pki.admin.ch/aia/EnhancedCA01.crt
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
2.5.29.37, SEQUENCE OF OIDs
OCTECT STING encapsulates
extendedKeyUsage
extnId
Client Authentication (1.3.6.1.5.5.7.3.2)
Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
,
subjectAltName
extnId
2.5.29.17, SEQUENCE
50/251
X.509 Field
Policy Layout
OIDs/Values
Comments
[1] rfc822 Email
RFC 822 Email
[0] OID 1.3.6.1.4.1.311.20.2.3 UTF8 String
Microsoft UPN
2.4.1.1.2 Digital Signature
Verwendungszweck:
Das Class B Digital Signature Zertifikat bestätigt die Echtheit, Integrität und Nicht-Abstreitbarkeit einer mit ihrem Schlüssel signierter Nachricht
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
TBSCertificate
validity
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.10:Admin
subject
51/251
X.509 Field
Policy Layout
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
‘010000000’B ,
Digital Signature, Non Repudiation
extnValue
digitalSignature
1
nonRepudiation
1
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.2.11,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
extnId
1.3.6.1.5.5.7.2.1,
52/251
Policy Layout
X.509 Field
extnValue
OIDs/Values
Comments
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
Secure Email (1.3.6.1.5.5.7.3.4)
subjectAltName
extnId
2.5.29.17, SEQUENCE
[1] rfc822 Email
RFC 822 Email
53/251
Policy Layout
2.4.1.1.3 Encryption
Verwendungszweck:
Mit dem Schlüssel des Class B Encryption Zertifikates wird sichergestellt, dass Nachrichten auf dem Übertragungsweg nicht abgehört werden.
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.10:Admin
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
2.5.29.35,
KeyId
TBSCertificate
validity
subject
Extensions
extnId
54/251
X.509 Field
extnValue
Policy Layout
OIDs/Values
Comments
…..,
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
4 unused bits ‘1100’B ,
RFC 5280
digitalSignature
0
nonRepudiation
0
keyEncipherment
1
dataEncipherment
1
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3.2.10,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
55/251
Policy Layout
X.509 Field
OIDs/Values
Comments
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
Secure Email (1.3.6.1.5.5.7.3.4)
Encrypting File System (1.3.6.1.4.1.311.10.3.4)
subjectAltName
extnId
2.5.29.17, SEQUENCE
[1] rfc822 Email
RFC 822 Email
56/251
Policy Layout
2.4.2.1
Class A Qualified Digital Signature
2.4.2.1.1 Person
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
Issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
TBSCertificate
validity
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.10:Admin
Subject
57/251
X.509 Field
Policy Layout
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
`. . . . . . . .`B,
BIT STRING, 2048 Bit
extnId
2.5.29.35,
KeyId
extnValue
`. . . . .Ò,
Extensions
extnId
2.5.29.14
extnValue
`. . . . .Ò,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
RFC 5280
extnValue
digitalSignature
0
nonRepudiation
1
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
In an end entity certificate, these policy information terms indicate the
policy under which the certificate has been issued and the purposes for
which the certificate may be used.
2.16.756.1.17.3.2.17,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Qualified CA 01 CPS for end users,
58/251
Policy Layout
X.509 Field
OIDs/Values
extnId
1.3.6.1.5.5.7.2.1,
extnValue
Comments
IA5String, cps
issuerAltName
extnId
2.5.29.18
extnValue
“O=ZertES Recognition Body: KPMG AG”,
directoryName
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
http://www.pki.admin.ch/crl/QualifiedCA01.crl,
ldap://admindir.admin.ch:389/cn=Swiss Government Qualified CA 01,ou=Certification
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
http://www.pki.admin.ch/aia/QualifiedCA01.crt
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
qcStatements
extnId
1.3.6.1.5.5.7.1.3,
extnValue
SEQUENCE OF
qCStatement
statementId
OCTET STRING
SEQUENCE
0.4.0.1862.1.1,
qcs-QcCompliance
59/251
Policy Layout
X.509 Field
OIDs/Values
qCStatement
Comments
SEQUENCE
statementId
0.4.0.1862.1.2,
statementInfo
SEQUENCE
currency
CHF,
Iso4217CurrencyCode
amount
2,
CHF 0-2 Mio
exponent
6,
INTEGER
qCStatement
statementId
qcs-QcLimitValue
SEQUENCE
0.4.0.1862.1.4,
qcs-QcSSCD
2.4.2.1.2 FreeDN
Verwendungszweck:
Tbd
2.4.2.1.3 FreeDN pre-assigned
Verwendungszweck:
tbd
2.4.2.1.4 SHAB Archive Signer
Verwendungszweck:
Tbd
2.4.2.1.5 Time Stamp Signer (Luna SA)
Verwendungszweck:
tbd
60/251
X.509 Field
Policy Layout
OIDs/Values
Comments
Algorithm
1.2.840.113549.1.1.11
Parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
unique integer
Random [integer]
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
TBSCertificate
validity
notBefore
“YYMMDDHHMMSSZ”,
notAfter
2.5.4.6:CH
2.5.4.7:Bern
2.5.4.11:Time Stamp Services
subject
2.5.4.3: Swiss Government TSA
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
RFC 3279
subjectPublicKey
`……..`B,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
`…..Ò,
Extensions
61/251
X.509 Field
Policy Layout
OIDs/Values
extnId
2.5.29.14
extnValue
`…..Ò,
Comments
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
‘00000010’B ,
RFC 5280
digitalSignature
0
nonRepudiation
1
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3.2.18,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Qualified CA 01 CPS for timestamping purposes,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
issuerAltName
extnId
2.5.29.18 ,
extnValue
“O=ZertES-Certification Body: KPMG AG” ,
directoryName, UTF8String
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
62/251
X.509 Field
pathLenConstraint
Policy Layout
OIDs/Values
Comments
None ,
INTEGER, End Entity
extendedKeyUsage
extnId
2.5.29.37,
Critical
TRUE,
1.3.6.1.5.5.7.3.8 ,
timeStamping
extnId
2.5.29.31,
extnValue
http://www.pki.admin.ch/crl/QualifiedCA01.crl
ldap://admindir.admin.ch:389/cn=Swiss Government Qualified CA 01,ou=Certification
authorityInfoAccess
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
http://www.pki.admin.ch/aia/QualifiedCA01.crt
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
Swiss Government Enhanced CA02
2.4.3.1
uri IA5String
ldap uri IA5String CA Swiss Government Qualified CA 01 CDPs
Class B – Pre-staged (FUB)
Verwendungszweck:
63/251
Policy Layout
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
Signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6: CH
2.5.4.10: Admin
2.5.4.11: VBS
2.5.4.11: <AIS Entry OU>
2.16.840.1.113730.3.1.3: <Employee Number>
2.5.4.3: <First Last>
First Last maps to LDAP DisplayName in AIS imported fields
Employee Number maps to SSN in uid LDAP filed imported from AIS
OU is AIS mapped OU (first in chain)
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
TBSCertificate
validity
subject
BIT STRING 2048 bit
Extensions
critical
FALSE
64/251
X.509 Field
Policy Layout
OIDs/Values
Comments
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.35,
KeyId
extnValue
…..,
include Authority Key Identifier: TRUE
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.14
extnValue
…..,
keyUsage
critical
TRUE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
RFC 5280
extnValue
digitalSignature
1
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
65/251
X.509 Field
Policy Layout
OIDs/Values
decipherOnly
Comments
0
certificatePolicies
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.32,
extnValue
id-ce-certificatePolicies
2.16.756.1.17.3.2.30,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, id-qt-cps
basicConstraints
critical
TRUE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.19,
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.31,
extnValue
http://www.technical-pki.admin.ch/crl/EnhancedCA02.crl
uri IA5String
66/251
Policy Layout
X.509 Field
OIDs/Values
Comments
ldap:///CN=Swiss%20Government%20Enhanced%20CA%2002,CN=SGCA02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ifr,DC=i
ntra2,DC=admin,DC=ch?certificateRevocationList?base?objectClass=cRLDistributionPoint
authorityInfoAccess
SEQUENCE
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
subjectAltName
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
TRUE
extnId
2.5.29.17, SEQUENCE
67/251
X.509 Field
Policy Layout
OIDs/Values
Comments
[1] rfc822 Email
RFC 822 Email
[0] OID 1.3.6.1.4.1.311.20.2.3 UTF8 String
Microsoft UPN
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
Verwendungszweck:
tbd
X.509 Field
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
TBSCertificate
validity
subject
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6: CH
2.5.4.10: Admin
2.5.4.11: VBS
2.5.4.11: AIS Entry OU
2.16.840.1.113730.3.1.3: Employee Number
68/251
X.509 Field
Policy Layout
OIDs/Values
Comments
2.5.4.3: First Last
algorithm
1.2.840.113549.1.1.1,
parameters
NULL,
subjectPublicKey
…..,
rsaEncryption
BIT STRING 2048 bit
Extensions
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.35,
KeyId
extnValue
…..,
Include Authority Key Identifier
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.14
extnValue
…..,
keyUsage
critical
TRUE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
69/251
X.509 Field
Policy Layout
OIDs/Values
digitalSignature
1
nonRepudiation
1
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
Comments
certificatePolicies
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.2.31,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
critical
TRUE
mandatory
TRUE
editable
FALSE
visible
TRUE
extnId
2.5.29.19,
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
70/251
Policy Layout
X.509 Field
OIDs/Values
Comments
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.31,
extnValue
uri IA5String
authorityInfoAccess
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
Secure Email (1.3.6.1.5.5.7.3.4)
subjectAltName
critical
FALSE
mandatory
TRUE
editable
FALSE
71/251
X.509 Field
Policy Layout
OIDs/Values
Comments
visible
TRUE
extnId
2.5.29.17, SEQUENCE
[1] rfc822 Email
RFC 822 Email
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
Verwendungszweck:
tbd
X.509 Field
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
TBSCertificate
validity
subject
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6: CH
2.5.4.10: Admin
2.5.4.11: VBS
2.5.4.11: AIS Entry OU
72/251
X.509 Field
Policy Layout
OIDs/Values
Comments
2.16.840.1.113730.3.1.3: Employee Number
2.5.4.3: First Last
algorithm
1.2.840.113549.1.1.1,
parameters
NULL,
subjectPublicKey
…..,
rsaEncryption
BIT STRING 2048 bit
Extensions
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.35,
KeyId
extnValue
…..,
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.14
extnValue
…..,
keyUsage
critical
TRUE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
73/251
X.509 Field
extnValue
Policy Layout
OIDs/Values
Comments
RFC 5280
digitalSignature
0
nonRepudiation
0
keyEncipherment
1
dataEncipherment
1
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.2.32,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
TRUE
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
74/251
Policy Layout
X.509 Field
pathLenConstraint
OIDs/Values
Comments
None ,
INTEGER, End Entity
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.31,
extnValue
uri IA5String
authorityInfoAccess
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
Secure Email (1.3.6.1.5.5.7.3.4)
Email Protection
Microsoft EFS
subjectAltName
75/251
X.509 Field
Policy Layout
OIDs/Values
Comments
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
TRUE
extnId
2.5.29.17, SEQUENCE
[1] rfc822 Email
RFC 822 Email
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
2.4.3.2
Class B pre-staged (BV)
Verwendungszweck:
tbd
X.509 Field
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
TBSCertificate
validity
76/251
X.509 Field
Policy Layout
OIDs/Values
Comments
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.10:Admin
subject
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
77/251
Policy Layout
X.509 Field
OIDs/Values
decipherOnly
Comments
0
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.2.33,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Certificate Policy for Authentication of the Swiss Government Enhanced CA
02,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
78/251
X.509 Field
Policy Layout
OIDs/Values
Comments
Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
subjectAltName
extnId
2.5.29.17, SEQUENCE
[1] rfc822 Email
RFC 822 Email
[0] OID 1.3.6.1.4.1.311.20.2.3 UTF8 String
Microsoft UPN
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
Verwendungszweck:
tbd
X.509 Field
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
TBSCertificate
validity
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
79/251
Policy Layout
X.509 Field
OIDs/Values
Comments
subject
2.5.4.6:CH
2.5.4.10:Admin
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
1
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
80/251
Policy Layout
X.509 Field
OIDs/Values
extnId
Comments
2.5.29.32,
extnValue
2.16.756.1.17.3.2.34,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Certificate Policy for Digital Signature of the Swiss Government Enhanced CA
02,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
Secure Email (1.3.6.1.5.5.7.3.4)
subjectAltName
81/251
X.509 Field
Policy Layout
OIDs/Values
Comments
2.5.29.17, SEQUENCE
[1] rfc822 Email
RFC 822 Email
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
extnId
Verwendungszweck:
tbd
X.509 Field
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
TBSCertificate
validity
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.10:Admin
subject
82/251
X.509 Field
Policy Layout
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
RFC 5280
extnValue
digitalSignature
0
nonRepudiation
0
keyEncipherment
1
dataEncipherment
1
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3.2.35,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Certificate Policy for Encipherment of the Swiss Government Enhanced CA 02, VisibleString, id-qt-unotice RFC 3280
extnId
1.3.6.1.5.5.7.2.1,
83/251
Policy Layout
X.509 Field
extnValue
OIDs/Values
Comments
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
Secure Email (1.3.6.1.5.5.7.3.4)
subjectAltName
extnId
2.5.29.17, SEQUENCE
[1] rfc822 Email
RFC 822 Email
84/251
Policy Layout
2.4.4.1
Class C : Standard Products
2.4.4.1.1 Group Mailbox
Verwendungszweck:
Tbd
Warning: The usage of this policy is not recommended due to inappropriate combination of key usages. It is nevertheless listed here to match the official product catalogue.
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.7:<Locality z.B. Bern>
2.5.4.10:<Organizationname z.B. Kanton Bern>
2.5.4.11:eGov-Services
TBSCertificate
validity
subject
85/251
X.509 Field
Policy Layout
OIDs/Values
Comments
2.5.4.11:Group Mailboxes
2.5.4.3:<Displayname Groupmailbox z.B. _BIT-PKI-Info>
algorithm
1.2.840.113549.1.1.1,
parameters
NULL,
rsaEncryption
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
‘00010111’B,
RFC 5280
digitalSignature
1
nonRepudiation
1
keyEncipherment
1
dataEncipherment
1
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.22.22,
86/251
Policy Layout
X.509 Field
OIDs/Values
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 Policy for Group Mail Box ,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
Comments
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
http://www.pki.admin.ch/crl/RegularCA01.crl
ldap://admindir.admin.ch:389/cn=Swiss Government Regular CA 01,ou=Certification
authorityInfoAccess
uri IA5String
ldap uri IA5String CA Swiss Government Regular CA 01 CDPs
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
http://www.pki.admin.ch/aia/RegularCA01.crt
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
1.3.6.1.5.5.7.3.2
clientAuthentication
1.3.6.1.5.5.7.3.4
emailProtection
2.5.29.17, SEQUENCE
subjectAltName
extnId
87/251
X.509 Field
Policy Layout
OIDs/Values
Comments
[1] rfc822 Email
RFC 822 Email
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
2.4.4.1.2 Person Authentication
Verwendungszweck:
tbd
X.509 Field
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
unique Integer
Random [integer]
issuer
2.5.4.6:CH
2.5.4.10: Swiss Government PKI
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z” ,
2.5.4.6:CH
2.5.4.7:<Location>
2.5.4.10: <Organisation Name>
2.5.4.11: <Organisation Unit>
2.5.4.3:<Common Name> ,
L = City
O = City, or Administration Unit or Swiss Government PKI etc.
OU = Organisation Unit
CN = Lastname Firstname
1.2.840.113549.1.1.1,
rsaEncryption
TBSCertificate
validity
subject
algorithm
88/251
X.509 Field
Policy Layout
OIDs/Values
Comments
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
extnId
2.5.29.32,
2.16.756.1.17.3.22.36,
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CPS for person authentication,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf ,
IA5String, cps
89/251
Policy Layout
X.509 Field
OIDs/Values
Comments
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
subjectAltName
extnId
2.5.29.17, SEQUENCE
[1] <rfc822 Email>
RFC 822 Email
2.4.4.1.3 Person Authentication/Signature
Verwendungszweck:
90/251
Policy Layout
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
unique Integer
Random [integer]
issuer
2.5.4.6:CH
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z” ,
2.5.4.6:CH
2.5.4.7:<Location>
L = City
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
TBSCertificate
validity
subject
Extensions
91/251
X.509 Field
Policy Layout
OIDs/Values
Comments
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
6 unused bits ‘11’B
RFC 5280
extnValue
digitalSignature
1
nonRepudiation
1
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3.22.40 ,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CPS for persons authentication and
signature purposes ,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
92/251
Policy Layout
X.509 Field
OIDs/Values
Comments
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
Secure Email (1.3.6.1.5.5.7.3.4)
subjectAltName
extnId
2.5.29.17, SEQUENCE
[1] <rfc822 Email>
RFC 822 Email
2.4.4.1.4 Person Authentication/Signature/Encryption
Verwendungszweck:
Tbd
93/251
X.509 Field
Policy Layout
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
unique Integer
Random [integer]
issuer
2.5.4.6:CH
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z” ,
2.5.4.6:CH
2.5.4.7:<Location>
L = City
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
TBSCertificate
validity
subject
Extensions
extnId
2.5.29.14
extnValue
…..,
94/251
X.509 Field
Policy Layout
OIDs/Values
Comments
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
1
keyEncipherment
1
dataEncipherment
1
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3.22.41 ,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CPS for persons authentication, signature
and encryption purposes ,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
uri IA5String
95/251
Policy Layout
X.509 Field
OIDs/Values
Comments
authorityInfoAccess
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
Secure Email (1.3.6.1.5.5.7.3.4)
subjectAltName
extnId
2.5.29.17, SEQUENCE
[1]< rfc822 Email>
RFC 822 Email
2.4.4.1.5 Person Signature/Encryption
Verwendungszweck:
Tbd
X.509 Field
OIDs/Values
Comments
1.2.840.113549.1.1.11
signatureAlgorithm
algorithm
96/251
X.509 Field
parameters
signature
Policy Layout
OIDs/Values
Comments
NULL
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
unique Integer
Random [integer]
issuer
2.5.4.6:CH
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z” ,
2.5.4.6:CH
2.5.4.7:<Location>
L = City
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
TBSCertificate
validity
subject
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
97/251
X.509 Field
Policy Layout
OIDs/Values
Comments
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
1
keyEncipherment
1
dataEncipherment
1
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3.22.42 ,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CPS for persons signature and encryption
purposes ,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
98/251
Policy Layout
X.509 Field
OIDs/Values
Comments
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
Secure Email (1.3.6.1.5.5.7.3.4
subjectAltName
extnId
2.5.29.17, SEQUENCE
[1]<<rfc822 Email>
RFC 822 Email
2.4.4.1.6 Organization Authentication
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
2
v3 cert
TBSCertificate
version
99/251
Policy Layout
X.509 Field
OIDs/Values
Comments
serialNumber
unique Integer
Random [integer]
issuer
2.5.4.6:CH
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z” ,
2.5.4.6:CH
2.5.4.7:<Location>
2.5.4.3: <UID> ,
L = Ort
O = Name, Firma oder Bezeichnung
OU = Zusätzlicher Name
CN = UID (see https://www.uid.admin.ch)
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
validity
subject
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
RFC 5280
extnValue
digitalSignature
1
100/251
X.509 Field
Policy Layout
OIDs/Values
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
Comments
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.22.37,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CP for organization authentication,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
101/251
Policy Layout
X.509 Field
OIDs/Values
Comments
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
subjectAltName
extnId
2.5.29.17, SEQUENCE
[1] <rfc822 Email>
RFC 822 Email
2.4.4.1.7 Organization Authentication/Signature
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
unique Integer
Random [integer]
issuer
2.5.4.6:CH
2.5.4.11:Services
TBSCertificate
102/251
X.509 Field
Policy Layout
OIDs/Values
Comments
validity
notBefore
“110216090000Z”,
notAfter
“140216085959Z” ,
2.5.4.6:CH
2.5.4.7:<Location>
2.5.4.3: <UID> ,
L = Ort
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
subject
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
6 unused bits ‘11’B,
RFC 5280
digitalSignature
1
nonRepudiation
1
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
103/251
Policy Layout
X.509 Field
OIDs/Values
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
Comments
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.22.43,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CP for organization authentication and
signature purposes,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
accessMethod
SEQUENCE
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
104/251
Policy Layout
X.509 Field
accessLocation
OIDs/Values
Comments
uri IA5String
extendedKeyUsage
extnId
Secure Email (1.3.6.1.5.5.7.3.4)
subjectAltName
extnId
2.5.29.17, SEQUENCE
[1] <rfc822 Email>
RFC 822 Email
2.4.4.1.8 Organization Authentication/Signature/Encryption
Verwendungszweck:
Tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
unique Integer
Random [integer]
issuer
2.5.4.6:CH
2.5.4.11:Services
TBSCertificate
105/251
X.509 Field
Policy Layout
OIDs/Values
Comments
notBefore
“110216090000Z”,
notAfter
“140216085959Z” ,
2.5.4.6:<CH>
2.5.4.7:<Location>
2.5.4.3: <Common Name> ,
L = Ort
O = Name, Firma, Bezeichnung oder UID (see https://www.uid.admin.ch)
OU = Zusätzlicher Name oder UID (see https://www.uid.admin.ch)
CN = Name, Firma oder Bezeichnung
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
validity
subject
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
1
keyEncipherment
1
dataEncipherment
1
keyAgreement
0
keyCertSign
0
106/251
Policy Layout
X.509 Field
OIDs/Values
cRLSign
0
encipherOnly
0
decipherOnly
0
Comments
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.22.44,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CP for organization authentication,
signature and encryption purposes,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
107/251
X.509 Field
Policy Layout
OIDs/Values
Comments
extendedKeyUsage
extnId
Secure Email (1.3.6.1.5.5.7.3.4)
subjectAltName
extnId
2.5.29.17, SEQUENCE
[1] <rfc822 Email>
RFC 822 Email
2.4.4.1.9 Organization Signature/Encryption
Verwendungszweck:
Tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
unique Integer
Random [integer]
issuer
2.5.4.6:CH
2.5.4.11:Services
TBSCertificate
108/251
X.509 Field
Policy Layout
OIDs/Values
Comments
notBefore
“110216090000Z”,
notAfter
“140216085959Z” ,
2.5.4.6:CH
2.5.4.7:<Location>
2.5.4.3: <UID> ,
L = Ort
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
validity
subject
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
1
keyEncipherment
1
dataEncipherment
1
keyAgreement
0
keyCertSign
0
cRLSign
0
109/251
Policy Layout
X.509 Field
OIDs/Values
encipherOnly
0
decipherOnly
0
Comments
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.22.45,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CPS for organization signature and
encryption purposes ,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
110/251
X.509 Field
extnId
Policy Layout
OIDs/Values
Comments
Secure Email (1.3.6.1.5.5.7.3.4)
subjectAltName
extnId
2.5.29.17, SEQUENCE
[1] <rfc822 Email>
RFC 822 Email
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
2.4.4.1.10 System Authentication
Verwendungszweck:
tbd
X.509 Field
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
unique Integer
Random [integer]
issuer
2.5.4.6:CH
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z” ,
2.5.4.6:CH
TBSCertificate
validity
subject
111/251
X.509 Field
Policy Layout
OIDs/Values
Comments
2.5.4.10:Admin
2.5.4.11: <Systemplattform-Name>
2.5.4.3: <System-Name>
z.B. O = Systemplattform eDokumente
z.B. CN = TUSER-SYSP-SCU1119B
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
2.5.29.32,
112/251
Policy Layout
X.509 Field
OIDs/Values
extnValue
Comments
2.16.756.1.17.3.22.46,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CPS for system authentication,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
subjectAltName
extnId
2.5.29.17, SEQUENCE
113/251
X.509 Field
Policy Layout
OIDs/Values
Comments
[1] <rfc822 Email>
RFC 822 Email
2.4.4.1.11 System Authentication/Signature
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
unique Integer
Random [integer]
issuer
2.5.4.6:CH
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z” ,
2.5.4.6:CH
2.5.4.10:Admin
1.2.840.113549.1.1.1,
rsaEncryption
TBSCertificate
validity
subject
algorithm
114/251
X.509 Field
Policy Layout
OIDs/Values
Comments
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
1
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3.22.47,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CPS for system authentication and signature VisibleString, id-qt-unotice RFC 3280
purposes,
extnId
1.3.6.1.5.5.7.2.1,
115/251
Policy Layout
X.509 Field
extnValue
OIDs/Values
Comments
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
Secure Email (1.3.6.1.5.5.7.3.4)
subjectAltName
extnId
2.5.29.17, SEQUENCE
[1] <rfc822 Email>
RFC 822 Email
116/251
Policy Layout
2.4.4.1.12 System Authentication/Signature/Encryption
Verwendungszweck:
Tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
unique Integer
Random [integer]
issuer
2.5.4.6:CH
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z” ,
2.5.4.6:CH
2.5.4.10:Admin
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
TBSCertificate
validity
subject
z.B. OU = Systemplattform eDokumente
BIT STRING 2048 bit
Extensions
117/251
X.509 Field
Policy Layout
OIDs/Values
Comments
extnId
2.5.29.35,
KeyId
extnValue
…..,
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
1
keyEncipherment
1
dataEncipherment
1
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3.22.48,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CPS for system authentication, signature
and encryption purposes,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
118/251
Policy Layout
X.509 Field
OIDs/Values
Comments
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
Secure Email (1.3.6.1.5.5.7.3.4)
subjectAltName
extnId
2.5.29.17, SEQUENCE
[1] <rfc822 Email>
RFC 822 Email
2.4.4.1.13 System Signature/Encryption
Verwendungszweck:
119/251
Policy Layout
Tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
unique Integer
Random [integer]
issuer
2.5.4.6:CH
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z” ,
2.5.4.6:CH
2.5.4.10:Admin
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
TBSCertificate
validity
subject
Extensions
120/251
X.509 Field
Policy Layout
OIDs/Values
Comments
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
RFC 5280
extnValue
digitalSignature
1
nonRepudiation
1
keyEncipherment
1
dataEncipherment
1
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3.22.49,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CPS for system signature and encryption
purposes ,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
121/251
Policy Layout
X.509 Field
OIDs/Values
Comments
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
Secure Email (1.3.6.1.5.5.7.3.4)
subjectAltName
extnId
2.5.29.17, SEQUENCE
[1] <rfc822 Email>
RFC 822 Email
2.4.4.1.14 System Signature
Verwendungszweck:
tbd
122/251
X.509 Field
Policy Layout
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
unique Integer
Random [integer]
issuer
2.5.4.6:CH
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z” ,
2.5.4.6:CH
2.5.4.10:Admin
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
TBSCertificate
validity
subject
Extensions
extnId
2.5.29.14
extnValue
…..,
123/251
X.509 Field
Policy Layout
OIDs/Values
Comments
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
1
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
extnId
2.5.29.32,
2.16.756.1.17.3.22.53,
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CPS for System Signature purposes,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
uri IA5String
124/251
Policy Layout
X.509 Field
OIDs/Values
Comments
authorityInfoAccess
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
Secure Email (1.3.6.1.5.5.7.3.4)
subjectAltName
extnId
2.5.29.17, SEQUENCE
[1] <rfc822 Email>
RFC 822 Email
OIDs/Values
Comments
Algorithm
1.2.840.113549.1.1.11
Parameters
NULL
2.4.4.1.15 System Encryption
Verwendungszweck:
Tbd
X.509 Field
signatureAlgorithm
Signature
2048 bit
2048 bit BIT STRING
125/251
X.509 Field
Policy Layout
OIDs/Values
Comments
Version
2
v3 cert
serialNumber
unique Integer
Random [integer]
issuer
2.5.4.6:CH
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z” ,
2.5.4.6:CH
2.5.4.10:Admin
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
Parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
TBSCertificate
validity
subject
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
Critical
TRUE,
BOOLEAN
extnValue
RFC 5280
126/251
X.509 Field
Policy Layout
OIDs/Values
digitalSignature
0
nonRepudiation
0
keyEncipherment
1
dataEncipherment
1
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
Comments
certificatePolicies
extnId
extnValue
extnId
2.5.29.32,
2.16.756.1.17.3.22.55,
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CPS for System Encryption purposes,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
127/251
Policy Layout
X.509 Field
OIDs/Values
accessDescription
Comments
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
Secure Email (1.3.6.1.5.5.7.3.4)
subjectAltName
extnId
2.4.4.2
2.5.29.17, SEQUENCE
[1] <rfc822 Email>
RFC 822 Email
Class D : Customer specific Policies
2.4.4.2.1 Client Authentication
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
unique Integer
Random [integer]
TBSCertificate
128/251
Policy Layout
X.509 Field
OIDs/Values
Comments
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
validity
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.11:Anwendungen
subject
2.5.4.3:<Anwendungsname z.B. SEDEX>
algorithm
1.2.840.113549.1.1.1,
parameters
NULL,
rsaEncryption
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
RFC 5280
extnValue
digitalSignature
1
nonRepudiation
0
keyEncipherment
0
129/251
Policy Layout
X.509 Field
OIDs/Values
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
Comments
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.22.31,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CPS for client authentication purposes ,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
130/251
Policy Layout
X.509 Field
OIDs/Values
accessDescription
Comments
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
subjectAltName
extnId
2.5.29.17, SEQUENCE
[1] rfc822 Email
RFC 822 Email
[0] OID 1.3.6.1.4.1.311.20.2.3 UTF8 String
Microsoft UPN
2.4.4.2.2 Process Authentication EJPD SSO-Portal
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
unique random integer
Unique random [integer]
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
TBSCertificate
2.5.4.3:Swiss Government Regular CA 01 ,
131/251
X.509 Field
Policy Layout
OIDs/Values
Comments
notBefore
notAfter
“YYMMDDHHMMSSZ” ,
2.5.4.6:CH
2.5.4.7:<Location>
2.5.4.10: <Name Verwaltung>
2.5.4.11: SSO Portal EJPD
L = Stadt oder Gemeinde
O = Stadt-, Gemeindeverwaltung etc.
OU = Konstante „SSO Portal EJPD“
CN = Maschinenname oder Benutzername
algorithm
1.2.840.113549.1.1.1 ,
rsaEncryption
parameters
NULL,
subjectPublicKey
` . . . . . . . . ` B,
BIT STRING 2048 bit
extnId
2.5.29.35 ,
KeyId
extnValue
`......Ò ,
validity
subject
Extensions
extnId
2.5.29.14
extnValue
`.....Ò,
keyUsage
extnId
2.5.29.15 ,
critical
extnValue
TRUE,
BOOLEAN
` 00001101 ` B ,
RFC 5280
digitalSignature
1
nonRepudiation
0
keyEncipherment
1
dataEncipherment
1
keyAgreement
0
keyCertSign
0
cRLSign
0
132/251
X.509 Field
Policy Layout
OIDs/Values
encipherOnly
0
decipherOnly
0
Comments
certificatePolicies
extnId
2.5.29.32 ,
extnValue
2.16.756.1.17.3.22.35 ,
extnId
1.3.6.1.5.5.7.2.2 ,
extnValue
This is the Swiss Government Regular CA 01 CP for Authentication/Encryption the EJPD
SSO portal ,
extnId
1.3.6.1.5.5.7.2.1 ,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19 ,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE ,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31 ,
extnValue
Authorities,ou=Services,o=Admin,c=CH ,
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1 ,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
accessMethod
accessLocation
accessDescription
SEQUENCE
1.3.6.1.5.5.7.48.2 ,
id-ad-caIssuers
uri IA5String
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1 ,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
133/251
X.509 Field
extnId
Policy Layout
OIDs/Values
Comments
1.3.6.1.5.5.7.3.2
1.3.6.1.5.5.7.3.4
emailProtection
subjectAltName
extnId
2.5.29.17 , SEQUENCE
[1] rfc822 Email
RFC 822 Email
[0] OID 1.3.6.1.4.1.311.20.2.3 UTF8 String
Microsoft UPN
2.4.4.2.3 Governikus Core Signature Certificate
Verwendungszweck:
This is the Swiss Government Regular CA 01 CP for Governikus Core Signature only purposes.
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
Xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
“110216090000Z”,
TBSCertificate
validity
notBefore
134/251
X.509 Field
Policy Layout
OIDs/Values
Comments
“140216085959Z”,
2.5.4.6:CH
2.5.4.7:Bern
2.5.4.10:BIT
2.5.4.11:Governikus
2.5.4.3:Governikus Core Signature Certificate
C= Landesabkürzung nach ISO 3166
L = Standort
O = Organisation
OU = Market Operations
CN = Governikus <Funktion>
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
notAfter
subject
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
‘010000000’B ,
RFC 5280
extnValue
digitalSignature
1
nonRepudiation
1
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
135/251
Policy Layout
X.509 Field
OIDs/Values
decipherOnly
Comments
0
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.22.57,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CP for Governikus Core Signature purposes,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
ldap uri IA5String CA Regular CA 01 CDPs
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
http://www.pki.admin.ch/aia/RegularCA01.crt ,
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
2.5.29.37,
extendedKeyUsage
extnId
136/251
X.509 Field
critical
Policy Layout
OIDs/Values
Comments
TRUE, SEQUENCE OF OIDs
BOOLEAN
2.5.29.17, SEQUENCE
[1] rfc822 Email
RFC 822 Email (OPTIONAL)
subjectAltName
extnId
2.4.4.2.4 Governikus OSCI Transport Encryption Certificate
Verwendungszweck:
This is the Swiss Government Regular CA 01 CP for Governikus OSCI Transport Encryption purposes
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
Xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
TBSCertificate
validity
subject
137/251
X.509 Field
Policy Layout
OIDs/Values
Comments
2.5.4.6:CH
2.5.4.7:Bern
2.5.4.10:BIT
2.5.4.11:Governikus
2.5.4.3: Governikus OSCI Transport Encryption Certificate
L = Standort
O = Organisation
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
0
nonRepudiation
0
keyEncipherment
1
dataEncipherment
1
keyAgreement
1
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
138/251
Policy Layout
X.509 Field
OIDs/Values
extnId
Comments
2.5.29.32,
extnValue
2.16.756.1.17.3.22.58,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CP for Governikus OSCI Transport Encryption VisibleString, id-qt-unotice RFC 3280
purposes,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
2.5.29.37,
critical
BOOLEAN
subjectAltName
139/251
X.509 Field
extnId
Policy Layout
OIDs/Values
Comments
2.5.29.17, SEQUENCE
[1] rfc822 Email
2.4.4.2.5 Governikus OSCI Transport Signature Certificate
Verwendungszweck:
This is the Swiss Government Regular CA 01 CP for Governikus OSCI Transport Signature only purposes
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
Xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
TBSCertificate
validity
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.7:Bern
2.5.4.10:BIT
2.5.4.11:Governikus
2.5.4.3: Governikus OSCI Transport Signature Certificate
L = Standort
O = Organisation
subject
140/251
X.509 Field
Policy Layout
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
1
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.22.59 ,
extnId
1.3.6.1.5.5.7.2.2,
141/251
Policy Layout
X.509 Field
OIDs/Values
Comments
extnValue
This is the Swiss Government Regular CA 01 CP for Governikus OSCI Transport Signature
purposes,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extnId
2.5.29.37,
critical
BOOLEAN
2.5.29.17, SEQUENCE
[1] rfc822 Email
extendedKeyUsage
subjectAltName
extnId
142/251
Policy Layout
2.4.4.2.6 Governikus Core Timestamp Certificate
Verwendungszweck:
This is the Swiss Government Regular CA 01 CPS for Governikus Core Timestamp only purpose
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
Xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.7:Bern
2.5.4.10:BIT
2.5.4.11:Governikus
2.5.4.3: Governikus Core Timestamp Certificate
L = Standort
O = Organisation
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
TBSCertificate
validity
subject
BIT STRING 2048 bit
Extensions
143/251
X.509 Field
Policy Layout
OIDs/Values
Comments
extnId
2.5.29.35,
KeyId
extnValue
…..,
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
0
nonRepudiation
1
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.22.60 ,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CP for Governikus Core Timestamp
purposes,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
144/251
Policy Layout
X.509 Field
OIDs/Values
Comments
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extnId
2.5.29.37,
critical
Time Stamp (1.3.6.1.5.5.7.3.8)
BOOLEAN
2.5.29.17, SEQUENCE
[1] rfc822 Email
extendedKeyUsage
id-kp-timeStamping
subjectAltName
extnId
2.4.4.2.7 ZKV
Verwendungszweck:
Authentifizierung, Verschlüsselung
145/251
X.509 Field
Policy Layout
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
TBSCertificate
validity
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
subject
2.5.4.11:ZKV
2.5.4.3:Common Name SUFFIX
algorithm
1.2.840.113549.1.1.1,
parameters
NULL,
rsaEncryption
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
146/251
X.509 Field
Policy Layout
OIDs/Values
extnId
2.5.29.14
extnValue
…..,
Comments
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
0
keyEncipherment
1
dataEncipherment
1
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3. 22.25,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CPS for ZKV authentication purposes,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
147/251
Policy Layout
X.509 Field
extnValue
OIDs/Values
Comments
http://www.pki.admin.ch/crl/ RegularCA01.crl
uri IA5String
authorityInfoAccess
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
http://www.pki.admin.ch/aia/ RegularCA01.crt
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
2.5.29.17, SEQUENCE
[1] rfc822 Email
RFC 822 Email
Email Protection (1.3.6.1.5.5.7.3.4)
subjectAltName
extnId
extendedKeyUsage
extnId
Client Auth (1.3.6.1.5.5.7.3.2)
2.4.4.2.8 SEDEX
Verwendungszweck:
Authentifizierung, Verschlüsselung
X.509 Field
OIDs/Values
Comments
1.2.840.113549.1.1.11
signatureAlgorithm
algorithm
148/251
X.509 Field
parameters
signature
Policy Layout
OIDs/Values
Comments
NULL
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
TBSCertificate
validity
subject
2.5.4.11:SEDEX
2.5.4.3:SEDEX Adapter Name/Identifier
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
149/251
X.509 Field
Policy Layout
OIDs/Values
Comments
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
RFC 5280
extnValue
digitalSignature
1
nonRepudiation
0
keyEncipherment
1
dataEncipherment
1
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3. 22.20,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CPS for SEDEX authentication purposes,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
150/251
uri IA5String
Policy Layout
X.509 Field
OIDs/Values
Comments
authorityInfoAccess
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
2.5.29.17, SEQUENCE
[1] rfc822 Email
RFC 822 Email
Email Protection (1.3.6.1.5.5.7.3.4)
subjectAltName
extnId
extendedKeyUsage
extnId
Client Auth (1.3.6.1.5.5.7.3.2)
sedexInternalUsage
extnId
2.16.756.1.17.3. 23.8
critical
FALSE,
DER encoded ASN.1 internal structure to SEDEX
BOOLEAN
OIDs/Values
Comments
OCTECT STING
2.4.4.2.9 eDOC
Verwendungszweck:
Authentisierung, Verschlüsselung
X.509 Field
signatureAlgorithm
151/251
X.509 Field
Policy Layout
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.10:admin
2.5.4.11: Systemplattform eDokumente
2.5.4.3: Adapter Name/Identifier
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
TBSCertificate
validity
subject
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
152/251
X.509 Field
Policy Layout
OIDs/Values
Comments
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
RFC 5280
extnValue
digitalSignature
1
nonRepudiation
0
keyEncipherment
1
dataEncipherment
1
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3. 22.23,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
The purpose of this certificate is solely intended for system platform eDokumente
application usages. The subject is a technical user referenced in the database of ISCEJPD.,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
uri IA5String
153/251
Policy Layout
X.509 Field
OIDs/Values
Comments
authorityInfoAccess
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
2.5.29.17, SEQUENCE
[1] rfc822 Email
RFC 822 Email
subjectAltName
extnId
extendedKeyUsage
extnId
Secure Email (1.3.6.1.5.5.7.3.4)
Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
2.4.4.2.10 SPOC Server
Verwendungszweck:
Tbd
--- muss neu von SG SSL CA 01 ausgestellt werden ---
154/251
X.509 Field
Policy Layout
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
Xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.10:Admin
2.5.4.11:BIT
2.5.4.3:SPOC TLS Server
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
TBSCertificate
validity
subject
Extensions
extnId
2.5.29.14
extnValue
…..,
155/251
X.509 Field
Policy Layout
OIDs/Values
Comments
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3.2.19,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CPS for SPOC authentication purposes,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
uri IA5String
156/251
Policy Layout
X.509 Field
OIDs/Values
Comments
authorityInfoAccess
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
2.5.29.17, SEQUENCE
[x] DNS Name spoc-mrtd-ws.pki.admin.ch
DNS
Server Authentication (1.3.6.1.5.5.7.3.1)
subjectAltName
extnId
extendedKeyUsage
extnId
SPOC specific OID (1.2.203.7064.1.1.369791.2)
2.4.4.2.11 SPOC Client
Verwendungszweck:
Tbd
--- muss neu von SG SSL CA 01 ausgestellt werden --X.509 Field
OIDs/Values
Comments
1.2.840.113549.1.1.11
signatureAlgorithm
algorithm
157/251
X.509 Field
parameters
signature
Policy Layout
OIDs/Values
Comments
NULL
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
Xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.10:Admin
2.5.4.11:BIT
TBSCertificate
validity
subject
2.5.4.3:SPOC TLS Client
algorithm
1.2.840.113549.1.1.1,
parameters
NULL,
rsaEncryption
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
158/251
X.509 Field
Policy Layout
OIDs/Values
Comments
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3.2.19,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CPS for SPOC authentication purposes,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
159/251
Policy Layout
X.509 Field
OIDs/Values
Comments
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
2.5.29.17, SEQUENCE
[x] DNS Name spoc-mrtd-ws.pki.admin.ch
DNS
subjectAltName
extnId
extendedKeyUsage
extnId
SPOC specific OID (1.2.203.7064.1.1.369791.1)
2.4.4.2.12 LRA Station System
Verwendungszweck:
Tbd
--- muss neu von SG SSL CA 01 ausgestellt werden --X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
TBSCertificate
160/251
Policy Layout
X.509 Field
OIDs/Values
Comments
version
2
v3 cert
serialNumber
Xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“160216085959Z”,
2.5.4.6:CH
2.5.4.10:Admin
2.5.4.11:Services
2.5.4.3: lra.host.name
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
validity
subject
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
RFC 5280
extnValue
digitalSignature
1
161/251
X.509 Field
Policy Layout
OIDs/Values
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
Comments
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.22.24,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CPS for LRA Station authentication purposes, VisibleString, id-qt-unotice RFC 3280
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
162/251
Policy Layout
X.509 Field
OIDs/Values
Comments
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
2.5.29.17, SEQUENCE
[x] DNS Name lra.host.name
DNS
subjectAltName
extnId
extendedKeyUsage
extnId
2.4.4.2.13 DFS / FKR - Digitaler Fahrtschreiber - DFS-CA Operator
Verwendungszweck:
Authentifizierung an der CA Operator Console der DFS-CA
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
TBSCertificate
163/251
X.509 Field
Policy Layout
OIDs/Values
Comments
2.5.4.11:Services
validity
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.10:Admin
2.5.4.11:DFS-Services
2.5.4.3: <Common Name>
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
subject
CN editierbar
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
`00000001` B ,
RFC 5280
extnValue
digitalSignature
1
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
164/251
Policy Layout
X.509 Field
OIDs/Values
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
Comments
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3. 22.12,
DFS-CA Operator
extnId
1.3.6.1.5.5.7.2.2,
extnValue
The purpose of this certificate is solely intended for Digital Tachograph CA Operator
Authentification purpose
extnId
1.3.6.1.5.5.7.2.1,
extnValue
http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf,
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
accessMethod
SEQUENCE
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
165/251
Policy Layout
X.509 Field
accessLocation
OIDs/Values
Comments
uri IA5String
extendedKeyUsage
extnId
SSLClient2.16.840.1.113730.1.1
NetscapeExtension mandatory=’True’ editable=’False’
GenericIA5StringExtension2.16.756.1.17.3.23.4.1
Editierbar: FL, CH
2.4.4.2.14 DFS / FKR - Digitaler Fahrtschreiber - DFS-CA Service Administrator
Verwendungszweck:
tbd
Diese Zertifikate (Klasse D) werden zur Authentifizierung an der CA Service Console der DFS-CA verwendet.
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
TBSCertificate
validity
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
166/251
Policy Layout
X.509 Field
OIDs/Values
Comments
subject
2.5.4.6:CH
2.5.4.10:Admin
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
CN editierbar
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
extnValue
BOOLEAN
`00000001` B ,
digitalSignature
1
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
RFC 5280
certificatePolicies
extnId
2.5.29.32,
167/251
Policy Layout
X.509 Field
OIDs/Values
extnValue
Comments
2.16.756.1.17.3. 22.13,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
The purpose of this certificate is solely intended for Digital Tachograph CA Service
Administrator Authentification purpose
extnId
1.3.6.1.5.5.7.2.1,
extnValue
DFS-CA Service Admin
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
SSLClient2.16.840.1.113730.1.1
NetscapeExtension mandatory=’True’ editable=’False’
Editierbar FL, CH
extendedKeyUsage
extnId
168/251
Policy Layout
2.4.4.2.15 DFS / FKR - Digitaler Fahrtschreiber - DFS-CA
Verwendungszweck:
Diese Policy definiert die Eigenschaften der DFS-CA DocumentSigner Zertifikate.
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.10:Admin
2.5.4.11: DFS-Services
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
TBSCertificate
validity
subject
CN editierbar
BIT STRING 2048 bit
Extensions
169/251
X.509 Field
Policy Layout
OIDs/Values
Comments
extnId
2.5.29.35,
KeyId
extnValue
…..,
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
`00000111` B ,
RFC 5280
extnValue
digitalSignature
1
nonRepudiation
1
keyEncipherment
1
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3. 22.14,
DFS-CA Entity
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is a Class D Document Signer Certificate for Digital Tachograph Certification Authority
Entities
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
170/251
Policy Layout
X.509 Field
OIDs/Values
Comments
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
Editierbar, FL, CH
2.4.4.2.16 DFS / FKR - Digitaler Fahrtschreiber - DFS-CIA
Verwendungszweck:
Diese Policy definiert die Eigenschaften der DFS-CIA DocumentSigner Zertifikate.
CIA : Card Issuing Authority
X.509 Field
OIDs/Values
Comments
signatureAlgorithm
171/251
X.509 Field
Policy Layout
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.10:Admin
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
TBSCertificate
validity
subject
CN editierbar
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
172/251
X.509 Field
Policy Layout
OIDs/Values
Comments
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
`00000111` B ,
RFC 5280
extnValue
digitalSignature
1
nonRepudiation
1
keyEncipherment
1
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3. 22.15,
DFS-CIA Entity
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is a Class D Document Signer Certificate for Digital Tachograph Card Issuing Authority
Entities
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
uri IA5String
173/251
Policy Layout
X.509 Field
OIDs/Values
Comments
authorityInfoAccess
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
Editierbar, FL, CH
extendedKeyUsage
extnId
2.4.4.2.17 DFS / FKR - Digitaler Fahrtschreiber - DFS-CP
Verwendungszweck:
Diese Policy definiert die Eigenschaften der DFS-CP DocumentSigner Zertifikate.
CP : Card Production
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
TBSCertificate
174/251
Policy Layout
X.509 Field
OIDs/Values
Comments
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
validity
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.10:Admin
CN editierbar
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
subject
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
`00000111` B ,
RFC 5280
extnValue
digitalSignature
1
nonRepudiation
1
keyEncipherment
1
175/251
Policy Layout
X.509 Field
OIDs/Values
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
Comments
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3. 22.16,
DFS-CP Entity
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is a Class D Document Signer Certificate for Digital Tachograph Card Production
Authority Entities
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
176/251
Policy Layout
X.509 Field
OIDs/Values
accessDescription
Comments
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
Editierbar, FL, CH
2.4.4.2.18 Organization Signature eSchKG BJ
Verwendungszweck:
Authentisierung, Digital Signature
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
unique Integer
Random [integer]
issuer
2.5.4.6:CH
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z” ,
TBSCertificate
validity
177/251
Policy Layout
X.509 Field
OIDs/Values
Comments
subject
2.5.4.6:CH
2.5.4.7:<Location>
2.5.4.11: eSchKG / e-LP / e-LEF
2.5.4.3: <Sedex-ID> ,
L = Ort
OU = Fixer Wert
CN = Sedex-ID (evtl. Mit Abkürzung Amt)
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
1
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
178/251
Policy Layout
X.509 Field
OIDs/Values
Comments
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3. 22.54,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CP for organization signature purposes,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
EJPD – eSchKG Verbund
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
Secure Email (1.3.6.1.5.5.7.3.4)
subjectAltName
179/251
X.509 Field
Policy Layout
OIDs/Values
Comments
2.5.29.17, SEQUENCE
[1] <rfc822 Email>
RFC 822 Email
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
extnId
2.4.4.2.19 ElCom
Verwendungszweck:
Authentisierung, Digital Signature
X.509 Field
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
TBSCertificate
validity
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
L = Land
O = EXAA AG
CN = ElCom-RRM-EXAA
subject
2.5.4.6:<Country>
2.5.4.7:<Location>
2.5.4.10: <Organisation>
2.5.4.3: <Commen Name> ,
180/251
X.509 Field
Policy Layout
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
1
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.22.50,
extnId
1.3.6.1.5.5.7.2.2,
181/251
Policy Layout
X.509 Field
OIDs/Values
Comments
extnValue
This is the Swiss Government Regular CA 01 CP for ElCom RRM Client
Authentication/Signature purposes. ,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
2.5.29.17, SEQUENCE
[1] rfc822 Email
RFC 822 Email
1.3.6.1.5.5.7.3.2
subjectAltName
extnId
extendedKeyUsage
extnId
182/251
X.509 Field
Policy Layout
OIDs/Values
Comments
2.4.4.2.20 CITES System Authentication/Signature/Encryption
Verwendungszweck:
Tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
unique Integer
Random [integer]
issuer
2.5.4.6:CH
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z” ,
2.5.4.6:<CH>
2.5.4.7:<Location>
C = Country
L = Ort
TBSCertificate
validity
subject
183/251
X.509 Field
Policy Layout
OIDs/Values
Comments
2.5.4.3: <UID> ,
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
1
keyEncipherment
1
dataEncipherment
1
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
2.5.29.32,
184/251
Policy Layout
X.509 Field
OIDs/Values
extnValue
Comments
2.16.756.1.17.3.22.61,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CP for CITES system authentication,
signature and encryption purposes,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
uri IA5String
authorityInfoAccess
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
extnId
Secure Email (1.3.6.1.5.5.7.3.4)
185/251
X.509 Field
Policy Layout
OIDs/Values
Comments
2.5.29.17, SEQUENCE
[1] <rfc822 Email>
RFC 822 Email
subjectAltName
extnId
2.4.5.1
SSL Server Authentication
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
TBSCertificate
validity
subject
186/251
X.509 Field
Policy Layout
OIDs/Values
Comments
2.5.4.7:Bern
2.5.4.11:Servers
2.5.4.11:SSL
2.5.4.3:FQDN
algorithm
1.2.840.113549.1.1.1,
parameters
NULL,
rsaEncryption
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
0
keyEncipherment
1
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
187/251
Policy Layout
X.509 Field
OIDs/Values
Comments
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.22.26,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
The purpose of this certificate is solely intended for SSL web server authentication.,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
http://www.pki.admin.ch/crl/ SSLCA01.crl
uri IA5String
ldap uri IA5String CA Swiss Government SSL CA 01 CDPs
authorityInfoAccess
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
http://www.pki.admin.ch/aia/ SSLCA01.crt
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
1.3.6.1.5.5.7.3.1
extendedKeyUsage
extnId
serverAuthentication
188/251
X.509 Field
Policy Layout
OIDs/Values
Comments
2.5.29.17, SEQUENCE
[1] rfc1034 dNSName
IA5String, or
[2] rfc791 iPAdress
OCTECT STING in “network byte order”
subjectAltName
extnId
2.4.5.2
SSL Client Authentication
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.11:Clients
TBSCertificate
validity
subject
189/251
X.509 Field
Policy Layout
OIDs/Values
Comments
2.5.4.11:SSL
2.5.4.3:FQDN
algorithm
1.2.840.113549.1.1.1,
parameters
NULL,
rsaEncryption
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3.2.27,
190/251
Policy Layout
X.509 Field
OIDs/Values
extnId
1.3.6.1.5.5.7.2.2,
extnValue
The purpose of this certificate is solely intended for SSL web client authentication.,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
Comments
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
uri IA5String
authorityInfoAccess
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
1.3.6.1.5.5.7.3.2
2.5.29.17, SEQUENCE
[1] rfc1034 dNSName
IA5String, or
extendedKeyUsage
extnId
subjectAltName
extnId
191/251
X.509 Field
2.4.5.3
Policy Layout
OIDs/Values
Comments
[2] rfc791 iPAdress
SSL Server / Client Authentication
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.11:Servers
2.5.4.11:SSL
2.5.4.3:FQDN
TBSCertificate
validity
subject
192/251
X.509 Field
Policy Layout
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
Digital Signature, Key Encipherment
extnValue
digitalSignature
1
nonRepudiation
0
keyEncipherment
1
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3.2.10,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
The purpose of this certificate is solely intended for SSL web server and client authentication.,
extnId
1.3.6.1.5.5.7.2.1,
193/251
Policy Layout
X.509 Field
extnValue
OIDs/Values
Comments
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
uri IA5String
authorityInfoAccess
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
1.3.6.1.5.5.7.3.1
1.3.6.1.5.5.7.3.2
2.5.29.17, SEQUENCE
[1] rfc1034 dNSName
IA5String, or
[2] rfc791 iPAdress
extendedKeyUsage
extnId
subjectAltName
extnId
194/251
2.4.5.4
Policy Layout
OCSP Responder
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.11:Servers
[2.5.4.11:SSL
TBSCertificate
validity
subject
2.5.4.3:ocsp-responder.pki.admin.ch
algorithm
1.2.840.113549.1.1.1,
parameters
NULL,
subjectPublicKey
…..,
rsaEncryption
BIT STRING 2048 bit
Extensions
195/251
X.509 Field
Policy Layout
OIDs/Values
Comments
extnId
2.5.29.35,
KeyId
extnValue
…..,
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
RFC 5280
extnValue
digitalSignature
1
nonRepudiation
1
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3.22.26,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
The purpose of this certificate is solely intended for signing ocsp requests.,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
196/251
Policy Layout
X.509 Field
pathLenConstraint
OIDs/Values
Comments
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
uri IA5String
authorityInfoAccess
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
1.3.6.1.5.5.7.3.9
extendedKeyUsage
extnId
2.4.5.5
ocspSigning
CodeSigning
Verwendungszweck:
Vertrauenswürdige Signierung von Software, die öffentlich verteilt wird. Im gleichen Zug werden die Endanwender der signierten Software über den Ursprung und die Integrität der Software, und über
die Identität des Herausgebers informiert.
X.509 Field
OIDs/Values
Comments
1.2.840.113549.1.1.11
signatureAlgorithm
algorithm
197/251
X.509 Field
parameters
signature
Policy Layout
OIDs/Values
Comments
NULL
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
editable
FALSE
1 or 2 years
notBefore
notAfter
UTC TIME, ETSI TS 102 280 (1 year or 2 years)
2.5.4.6: CH
2.5.4.7: <Locality>
O = Description according to UID-Register z.B “Bundesamt für
Zukunftsforschung (BFZ)”
TBSCertificate
validity
subject
2.5.4.11: <Organisational Unit>
2.5.4.3: <CN>
OU = UID according to UID-Register z.B. “CHE-123.456.789”
OU = Organisational Unit z.B „Büroautomation“
CN = Description according to UID-Register z.B “Bundesamt für
algorithm
1.2.840.113549.1.1.1,
parameters
NULL,
subjectPublicKey
…..,
rsaEncryption
BIT STRING 2048 bit
Extensions
critical
FALSE
mandatory
TRUE
editable
FALSE
198/251
X.509 Field
Policy Layout
OIDs/Values
Comments
visible
FALSE
extnId
2.5.29.35,
KeyId
extnValue
…..,
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.14
extnValue
…..,
keyUsage
critical
TRUE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
199/251
X.509 Field
Policy Layout
OIDs/Values
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.32,
extnValue
Comments
2.16.756.1.17.3.22.5,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government SSL CA 01 CP for code signing,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
critical
TRUE
mandatory
TRUE
editable
FALSE
visible
TRUE
extnId
2.5.29.19,
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.31,
extnValue
uri IA5String
authorityInfoAccess
extnId
SEQUENCE
1.3.6.1.5.5.7.1.1,
OCTET STRING
200/251
Policy Layout
X.509 Field
extnValue
accessDescription
OIDs/Values
Comments
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
Code Signing (1.3.6.1.5.5.7.3.3)
id_kp_codeSigning
subjectAltName
2.4.5.6
critical
FALSE
mandatory
TRUE
editable
TRUE
visible
TRUE
extnId
2.5.29.17, SEQUENCE
[1] rfc822 Email
RFC 822 Email
Domain Controller
Verwendungszweck:
tbd
201/251
X.509 Field
Policy Layout
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
editable
FALSE
1 or 2 years
notBefore
notAfter
2.5.4.6: CH
2.5.4.7: <Locality>
2.5.4.3: <CN>
L = Locality zB. „Bern“
O = Description Organization z.B “Bundesamt für Zukunftsforschung
(BFZ)”
CN = FQDN z.B. „DC1.irgendetwas.bit.admin.ch“
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
TBSCertificate
validity
subject
BIT STRING 2048 bit
Extensions
critical
FALSE
mandatory
TRUE
202/251
X.509 Field
Policy Layout
OIDs/Values
Comments
editable
FALSE
visible
FALSE
extnId
2.5.29.35,
KeyId
extnValue
…..,
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.14
extnValue
…..,
keyUsage
critical
TRUE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
‘101000000’B ,
RFC 5280
extnValue
digitalSignature
1
nonRepudiation
0
keyEncipherment
1
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
203/251
X.509 Field
Policy Layout
OIDs/Values
Comments
certificatePolicies
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.22.56,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government SSL CA 01 CP for domain controller,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
critical
TRUE
mandatory
TRUE
editable
FALSE
visible
TRUE
extnId
2.5.29.19,
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.31,
extnValue
uri IA5String
authorityInfoAccess
SEQUENCE
204/251
Policy Layout
X.509 Field
OIDs/Values
Comments
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
1.3.6.1.5.5.7.3.1
Server Authentication
1.3.6.1.5.5.7.3.2
Client Authentication
subjectAltName
critical
FALSE
mandatory
TRUE
editable
TRUE
visible
TRUE
extnId
2.5.29.17, SEQUENCE
[1] Other Name:1.3.6.1.4.1.311.25.1=<GUID>
[2] DNS Name=<FQDN>
certificateTemplateName
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
TRUE
205/251
X.509 Field
extnId
Policy Layout
OIDs/Values
Comments
1.3.6.1.4.1.311.20.2, SEQUENCE
DomainController
Swiss Government Public Trust Standard CA 02
2.4.6.1
Public Trust Standard Server Authentication (2.16.756.1.17.3.62.1)
Verwendungszweck:
End Entity Certificate Policy
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
(value is 2).
serialNumber
xxxxx
issuer
2.5.4.6:CH
2.5.4.11:Services
name (DN).
TBSCertificate
validity
206/251
X.509 Field
Policy Layout
OIDs/Values
Comments
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:<countryName>
2.5.4.8:<stateOrProvinceName>
2.5.4.7:<localityName>
2.5.4.10:<organizationName>
2.5.4.11:[ ]<organizationalUnitName>
2.5.4.3:FQDN
Holder information, e.g. “CH”
Holder information, e.g. “BE” (Canton short)
Holder information, e.g. “Bern”
Holder information, e.g. “Swiss Government PKI”
Holder information, e.g. “BIT”
Holder information
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
subject
Extensions
extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
RFC 5280
extnValue
digitalSignature
1
nonRepudiation
0
keyEncipherment
1
dataEncipherment
0
keyAgreement
0
keyCertSign
0
207/251
Policy Layout
X.509 Field
OIDs/Values
cRLSign
0
encipherOnly
0
decipherOnly
0
Comments
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.62.1,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
http://www.pki.admin.ch/crl/PTSTCA02.crl
ldap://admindir.admin.ch:389/cn=Swiss Government Public Trust Standard CA 02,
ou=Certification Authorities,ou=Services,o=Admin,c=CH,
uri IA5String
authorityInfoAccess
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
http://www.pki.admin.ch/aia/PTSTCA02.crt
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
208/251
X.509 Field
Policy Layout
OIDs/Values
Comments
1.3.6.1.5.5.7.3.1
2.5.29.17, SEQUENCE
<your.server.address.com>
[1] rfc1034 dNSName, IA5String
extendedKeyUsage
extnId
subjectAltName
extnId
2.4.6.2
Public Trust Standard Client Authentication (2.16.756.1.17.3.62.2)
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
(value is 2).
serialNumber
xxxxx
issuer
2.5.4.6:CH
2.5.4.11:Services
name (DN).
TBSCertificate
209/251
X.509 Field
Policy Layout
OIDs/Values
Comments
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.3:FQDN
Holder information
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
validity
subject
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
0
keyEncipherment
1
dataEncipherment
0
keyAgreement
0
210/251
Policy Layout
X.509 Field
OIDs/Values
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
Comments
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.62.2,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
uri IA5String
authorityInfoAccess
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
accessMethod
SEQUENCE
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
211/251
Policy Layout
X.509 Field
accessLocation
OIDs/Values
Comments
uri IA5String
1.3.6.1.5.5.7.3.2
2.5.29.17, SEQUENCE
<your.client.address.com>
extendedKeyUsage
extnId
subjectAltName
extnId
2.4.6.3
Public Trust Standard Server/Client Authentication (2.16.756.1.17.3.62.3)
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
(value is 2).
serialNumber
xxxxx
issuer
2.5.4.6:CH
name (DN).
TBSCertificate
212/251
X.509 Field
Policy Layout
OIDs/Values
Comments
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.3:FQDN
Holder information
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
validity
subject
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
digitalSignature
1
nonRepudiation
0
keyEncipherment
1
dataEncipherment
0
213/251
Policy Layout
X.509 Field
OIDs/Values
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
Comments
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.62.3,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
extnId
1.3.6.1.5.5.7.2.1,
extnValue
VisibleString, id-qt-unotice RFC 3280,
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
uri IA5String
authorityInfoAccess
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
214/251
Policy Layout
X.509 Field
OIDs/Values
Comments
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
1.3.6.1.5.5.7.3.1
1.3.6.1.5.5.7.3.2
2.5.29.17, SEQUENCE
<your.{server/client}.address.com
extendedKeyUsage
extnId
subjectAltName
extnId
2.4.6.4
Public Trust Standard OCSP Responder (2.16.756.1.17.3.62.7)
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
(value is 2).
serialNumber
xxxxx
TBSCertificate
215/251
Policy Layout
X.509 Field
OIDs/Values
Comments
issuer
2.5.4.6:CH
2.5.4.11:Services
name (DN).
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.11:Services
2.5.4.3:public-trust-standard-ocsp-responder.pki.admin.ch
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
validity
subject
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
1
keyEncipherment
0
216/251
Policy Layout
X.509 Field
OIDs/Values
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
1
encipherOnly
0
decipherOnly
0
Comments
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.62.7,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
uri IA5String
authorityInfoAccess
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
217/251
Policy Layout
X.509 Field
OIDs/Values
accessDescription
Comments
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
1.3.6.1.5.5.7.3.9
ocspSigning
2.5.29.17, SEQUENCE
<your.ocsp.address.com>
extendedKeyUsage
extnId
subjectAltName
extnId
Swiss Government Public Trust EV CA 02
2.4.7.1
Public Trust EV Server Authentication (2.16.756.1.17.3.62.4)
Verwendungszweck:
End Entity Certificate Policy
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
(value is 2).
serialNumber
xxxxx
TBSCertificate
218/251
X.509 Field
issuer
Policy Layout
OIDs/Values
Comments
name (DN).
2.5.4.6:CH
2.5.4.11:Services
validity
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.3:FQDN
2.5.4.15:<businessCategory>
2.5.4.5:<serialNumber>
1.3.6.1.4.1.311.60.2.1.2:<jurisdictionOfIncorporationStateOrProvince
1.3.6.1.4.1.311.60.2.1.3:<jurisdictionOfIncorporationCountryName
Holder information, e.g. “BE” (canton short)
Holder information, e.g. “your.server.domain.com”
Holder information, e.g. “Government Entity”1
Holder information, e.g. “CHE-xxx.xxx.xxx”
“Bern”
“CH”
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
subject
Extensions
extensions
1
Valid values are “Private Organization”, “Government Entity”, “Business Entity”, or “Non-Commercial Entity”
219/251
X.509 Field
Policy Layout
OIDs/Values
extnId
2.5.29.14
extnValue
…..,
Comments
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
0
keyEncipherment
1
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.62.4,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
220/251
Policy Layout
X.509 Field
OIDs/Values
extnId
2.5.29.31,
extnValue
http://www.pki.admin.ch/crl/PTEVCA02.crl
ldap://admindir.admin.ch:389/cn=Swiss Government Public Trust EV CA 02,
Comments
uri IA5String
authorityInfoAccess
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
http://www.pki.admin.ch/aia/PTEVCA02.crt
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
1.3.6.1.5.5.7.3.1
2.5.29.17, SEQUENCE
<your.server.address.com>
extendedKeyUsage
extnId
subjectAltName
extnId
2.4.7.2
Public Trust EV Client Authentication (2.16.756.1.17.3.62.5)
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
1.2.840.113549.1.1.11
signatureAlgorithm
algorithm
221/251
X.509 Field
parameters
signature
Policy Layout
OIDs/Values
Comments
NULL
2048 bit
2048 bit BIT STRING
version
2
(value is 2).
serialNumber
xxxxx
issuer
2.5.4.6:CH
2.5.4.11:Services
name (DN).
TBSCertificate
validity
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.3:FQDN
Holder information, e.g. “your.client.domain.com”
“Bern”
“CH”
1.2.840.113549.1.1.1,
rsaEncryption
subject
algorithm
2
222/251
X.509 Field
Policy Layout
OIDs/Values
Comments
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
0
keyEncipherment
1
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.62.5,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
extnId
1.3.6.1.5.5.7.2.1,
223/251
Policy Layout
X.509 Field
extnValue
OIDs/Values
Comments
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
uri IA5String
authorityInfoAccess
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
1.3.6.1.5.5.7.3.2
2.5.29.17, SEQUENCE
<your.client.address.com>
extendedKeyUsage
extnId
subjectAltName
extnId
224/251
2.4.7.3
Policy Layout
Public Trust EV Server/Client Authentication (2.16.756.1.17.3.62.6)
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
(value is 2).
serialNumber
xxxxx
issuer
2.5.4.6:CH
2.5.4.11:Services
name (DN).
TBSCertificate
validity
subject
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.3:FQDN
Holder information, e.g. “your.client.domain.com”
225/251
X.509 Field
Policy Layout
OIDs/Values
Comments
“Bern”
“CH”
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
3
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
digitalSignature
1
nonRepudiation
0
keyEncipherment
1
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
226/251
Policy Layout
X.509 Field
OIDs/Values
Comments
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.62.6,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
uri IA5String
authorityInfoAccess
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
1.3.6.1.5.5.7.3.1
extendedKeyUsage
extnId
227/251
X.509 Field
Policy Layout
OIDs/Values
Comments
1.3.6.1.5.5.7.3.2
2.5.29.17, SEQUENCE
<your.{server/client}.address.com
subjectAltName
extnId
2.4.7.4
Public Trust EV OCSP Responder (2.16.756.1.17.3.62.8)
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
(value is 2).
serialNumber
xxxxx
issuer
2.5.4.6:CH
2.5.4.11:Services
name (DN).
TBSCertificate
validity
228/251
X.509 Field
Policy Layout
OIDs/Values
Comments
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.11:Services
2.5.4.3:ev-ocsp-responder.pki.admin.ch
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
subject
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
1
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
229/251
Policy Layout
X.509 Field
OIDs/Values
Comments
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.62.8,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
uri IA5String
authorityInfoAccess
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
1.3.6.1.5.5.7.3.9
extendedKeyUsage
extnId
ocspSigning
230/251
X.509 Field
Policy Layout
OIDs/Values
Comments
2.5.29.17, SEQUENCE
subjectAltName
extnId
Swiss Government Public Trust Codesigning Standard CA 02
2.4.8.1
Public Trust Standard Code Signing (2.16.756.1.17.1.3.62.9)
Verwendungszweck:
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
(value is 2).
serialNumber
xxxxx
issuer
2.5.4.6:CH
2.5.4.11:Services
name (DN).
TBSCertificate
231/251
X.509 Field
Policy Layout
OIDs/Values
Comments
2.5.4.3:Swiss Government Public Trust Codesigning Standard CA 02
editable
FALSE
1 or 2 years
notBefore
notAfter
2.5.4.6: CH
2.5.4.7: <Locality>
2.5.4.3: <CN>
L = Locality z.B. „Bern“
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
validity
subject
BIT STRING 2048 bit
Extensions
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.35,
KeyId
extnValue
…..,
critical
FALSE
mandatory
TRUE
232/251
X.509 Field
Policy Layout
OIDs/Values
editable
FALSE
visible
FALSE
extnId
2.5.29.14
extnValue
…..,
Comments
keyUsage
critical
TRUE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
RFC 5280
extnValue
digitalSignature
1
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.62.9,
extnId
1.3.6.1.5.5.7.2.2,
233/251
Policy Layout
X.509 Field
OIDs/Values
Comments
extnValue
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
critical
TRUE
mandatory
TRUE
editable
FALSE
visible
TRUE
extnId
2.5.29.19,
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.31,
extnValue
http://www.pki.admin.ch/crl/PTCSSTCA02.crl
uri IA5String
ldap://admindir.admin.ch:389/cn=Swiss Government Public Trust Codesigning Standard CA ldap uri IA5String CA Swiss Government SSL CA 01 CDPs
02,ou=Certification Authorities,ou=Services,o=Admin,c=CH,
authorityInfoAccess
SEQUENCE
extnId
extnValue
accessDescription
1.3.6.1.5.5.7.1.1,
OCTET STRING
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
http://www.pki.admin.ch/aia/PTCSSTCA02.crt
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
234/251
X.509 Field
Policy Layout
OIDs/Values
Comments
extendedKeyUsage
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
1.3.6.1.5.5.7.3.3
id_kp_codeSigning
subjectAltName
critical
FALSE
mandatory
TRUE
editable
TRUE
visible
TRUE
extnId
2.5.29.17, SEQUENCE
[1] rfc822 Email
RFC 822 Email
2.4.8.2
Public Trust Standard Code Signing OCSP Responder (2.16.756.1.17.3.62.11)
Verwendungszweck:
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
2
TBSCertificate
version
235/251
X.509 Field
Policy Layout
OIDs/Values
Comments
(value is 2).
serialNumber
xxxxx
issuer
2.5.4.6:CH
2.5.4.11:Services
name (DN).
2.5.4.3:Swiss Government Public Trust Code Signing Standard CA 02
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.11:Services
2.5.4.3:public-trust-standard-code-signing-ocsp-responder.pki.admin.ch
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
validity
subject
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
236/251
X.509 Field
extnValue
Policy Layout
OIDs/Values
Comments
RFC 5280
digitalSignature
1
nonRepudiation
1
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
1
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3.62.11,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
http://www.pki.admin.ch/crl/PTCSSTCA02.crl
ldap://admindir.admin.ch:389/cn=Swiss Government Public Trust Code Signing Standard
CA 02, ou=Certification Authorities,ou=Services,o=Admin,c=CH,
authorityInfoAccess
extnId
uri IA5String
SEQUENCE
1.3.6.1.5.5.7.1.1,
OCTET STRING
237/251
Policy Layout
X.509 Field
extnValue
accessDescription
OIDs/Values
Comments
SEQUENCE OF
OCTET STRING
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
http://www.pki.admin.ch/aia/PTCSSTCA02.crt
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
1.3.6.1.5.5.7.3.9
ocspSigning
2.5.29.17, SEQUENCE
extendedKeyUsage
extnId
subjectAltName
extnId
Swiss Government Public Trust Codesigning EV CA 02
2.4.9.1
Public Trust EV Code Signing (2.16.756.1.17.3.62.10)
Verwendungszweck:
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
238/251
X.509 Field
Policy Layout
OIDs/Values
Comments
version
2
(value is 2).
serialNumber
xxxxx
issuer
2.5.4.6:CH
2.5.4.11:Services
2.5.4.3:Swiss Government Public Trust Codesigning EV CA 02
name (DN).
TBSCertificate
validity
editable
FALSE
1 or 2 years
notBefore
notAfter
2.5.4.6: CH
2.5.4.7: <Locality>
L = Locality z.B. „Bern“
subject
2.5.4.3: <CN>
algorithm
1.2.840.113549.1.1.1,
parameters
NULL,
subjectPublicKey
…..,
rsaEncryption
BIT STRING 2048 bit
Extensions
239/251
X.509 Field
Policy Layout
OIDs/Values
Comments
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.35,
KeyId
extnValue
…..,
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.14
extnValue
…..,
keyUsage
critical
TRUE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
RFC 5280
extnValue
digitalSignature
1
nonRepudiation
0
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
240/251
X.509 Field
Policy Layout
OIDs/Values
encipherOnly
0
decipherOnly
0
Comments
certificatePolicies
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.62.10,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
critical
TRUE
mandatory
TRUE
editable
FALSE
visible
TRUE
extnId
2.5.29.19,
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
2.5.29.31,
extnValue
http://www.pki.admin.ch/crl/PTCSEVCA02.crl
uri IA5String
241/251
Policy Layout
X.509 Field
OIDs/Values
Comments
ldap://admindir.admin.ch:389/cn=Swiss Government Public Trust Codesigning EV CA
02,ou=Certification Authorities,ou=Services,o=Admin,c=CH,
authorityInfoAccess
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
http://www.pki.admin.ch/aia/PTCSEVCA02.crt
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
extendedKeyUsage
critical
FALSE
mandatory
TRUE
editable
FALSE
visible
FALSE
extnId
1.3.6.1.5.5.7.3.3
id_kp_codeSigning
subjectAltName
2.4.9.2
critical
FALSE
mandatory
TRUE
editable
TRUE
visible
TRUE
extnId
2.5.29.17, SEQUENCE
[1] rfc822 Email
RFC 822 Email
Public Trust EV Code Signing OCSP Responder (2.16.756.1.17.3.62.12)
Verwendungszweck:
242/251
Policy Layout
tbd
X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
(value is 2).
serialNumber
Xxxxx
issuer
2.5.4.6:CH
2.5.4.11:Services
2.5.4.3:Swiss Government Public Trust Code Signing EV CA 02
name (DN).
TBSCertificate
validity
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.11:Services
2.5.4.3:public-trust-ev-code-signing-ocsp-responder.pki.admin.ch
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
subject
BIT STRING 2048 bit
Extensions
243/251
X.509 Field
Policy Layout
OIDs/Values
Comments
extnId
2.5.29.35,
KeyId
extnValue
…..,
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
1
keyEncipherment
0
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
2.5.29.32,
extnValue
2.16.756.1.17.3.62.12,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
244/251
Policy Layout
X.509 Field
OIDs/Values
Comments
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
http://www.pki.admin.ch/crl/PTCSEVCA02.crl
ldap://admindir.admin.ch:389/cn=Swiss Government Public Trust Code Signing EV CA 02,
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
http://www.pki.admin.ch/aia/PTCSEVCA02.crt
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
1.3.6.1.5.5.7.3.9
2.5.29.17, SEQUENCE
extendedKeyUsage
extnId
ocspSigning
subjectAltName
extnId
OBSOLETE
2.4.10.1 SSL Web Server - Swiss Government Regular CA 01
Verwendungszweck:
245/251
Policy Layout
Tbd
--- OBSOLETE --X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
TBSCertificate
validity
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.11:Servers
subject
2.5.4.11: SSL
2.5.4.3: server/system name
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
2.5.29.35,
KeyId
Extensions
extnId
246/251
X.509 Field
extnValue
Policy Layout
OIDs/Values
Comments
…..,
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
digitalSignature
1
nonRepudiation
0
keyEncipherment
1
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3.22.26,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
The purpose of this certificate is solely intended for SSL web server authentication., VisibleString, id-qt-unotice RFC 3280
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
247/251
Policy Layout
X.509 Field
OIDs/Values
Comments
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
Server Auth (1.3.6.1.5.5.7.3.1)
extendedKeyUsage
extnId
2.4.10.2 System - Swiss Government Regular CA 01
Verwendungszweck:
Tbd
--- OBSOLETE --X.509 Field
OIDs/Values
Comments
algorithm
1.2.840.113549.1.1.11
parameters
NULL
signatureAlgorithm
signature
2048 bit
2048 bit BIT STRING
248/251
X.509 Field
Policy Layout
OIDs/Values
Comments
version
2
v3 cert
serialNumber
xxxxx
Random
issuer
2.5.4.6:CH
2.5.4.10: Admin
2.5.4.11:Services
notBefore
“110216090000Z”,
notAfter
“140216085959Z”,
2.5.4.6:CH
2.5.4.10:Admin
2.5.4.11:Servers
2.5.4.3:server/system name
algorithm
1.2.840.113549.1.1.1,
rsaEncryption
parameters
NULL,
subjectPublicKey
…..,
BIT STRING 2048 bit
extnId
2.5.29.35,
KeyId
extnValue
…..,
TBSCertificate
validity
subject
Extensions
extnId
2.5.29.14
extnValue
…..,
keyUsage
extnId
2.5.29.15,
critical
TRUE,
BOOLEAN
extnValue
RFC 5280
249/251
X.509 Field
Policy Layout
OIDs/Values
digitalSignature
1
nonRepudiation
0
keyEncipherment
1
dataEncipherment
0
keyAgreement
0
keyCertSign
0
cRLSign
0
encipherOnly
0
decipherOnly
0
Comments
certificatePolicies
extnId
extnValue
2.5.29.32,
2.16.756.1.17.3.2.10,
extnId
1.3.6.1.5.5.7.2.2,
extnValue
This is the Swiss Government Regular CA 01 CPS for authentication purposes,
extnId
1.3.6.1.5.5.7.2.1,
extnValue
IA5String, cps
basicConstraints
extnId
2.5.29.19,
critical
TRUE,
BOOLEAN
extnValue
cA FALSE,
BOOLEAN
pathLenConstraint
None ,
INTEGER, End Entity
extnId
2.5.29.31,
extnValue
authorityInfoAccess
uri IA5String
SEQUENCE
extnId
1.3.6.1.5.5.7.1.1,
OCTET STRING
extnValue
SEQUENCE OF
OCTET STRING
250/251
Policy Layout
X.509 Field
OIDs/Values
accessDescription
Comments
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.2,
id-ad-caIssuers
accessLocation
uri IA5String
accessDescription
SEQUENCE
accessMethod
1.3.6.1.5.5.7.48.1,
id-ad-ocsp
accessLocation
uri IA5String
Server Auth (1.3.6.1.5.5.7.3.1)
extendedKeyUsage
extnId
Client Auth (1.3.6.1.5.5.7.3.2)
subjectAltName
extnId
2.5.29.17, SEQUENCE
[1] rfc822 Email
Note: applies also for Governikus transport signature, transport encryption, core signature
251/251

Swiss Government PKI - Bundesamt für Informatik und

Transcription

Similar documents

E-Government in OWL

und Vorgangsbearbeitungssystems im Land Brandenburg

Governikus Communicator Benutzerhandbuch

Kurzanleitung EGVP 2.8 Installerpaket

Informations- und Kommunikationsinstitut der Landeshauptstadt