InCommon Certificate Profile
Server Certificate Profile 


Draft #7: May 18, 2004
InCommon Server (EE) Certificate Profile Summary Table
Field Name Value Example Explanation
Version
0x2
0x2
 A version 3 certificate is specified
Serial Number
a unique integer
334
 An integer that is unique to all certificates issued by the InCommon CA.
Signature Algorithm
 SHA1/RSA
 
  
Issuer
DN
cn=InCommon Certification Authority, o=Internet2, c=US
  
Validity
Time
Not valid before: date
Not valid after: date plus three years
 A three year validity period is proposed
Subject
DN
cn=shib.school.edu, o=shib.school.edu, c=US
The CN= is the full domain name of the InCommon Shibboleth server at the institution. The O= is the normal name of the university as supplied by the institution when they submit their paperwork for the I&A process. The InCommon RA will ensure that no schools have overlap in the O= field. An alternative is to make CN == O to ease the workload on the IN-Common RA.
Public Key
 
A 1024 bit keypair will be used
  

Certificate Extensions
Key Usage
 Digital Signature
Key Encipherment		 Digital Signature and Key Encipherment will be asserted The extension will be marked critical.
Basic Constraints
CA=false
CA=false
 This extension will be marked critical.
CRL Distribution Points URI http://incommonca1.internet2.edu/crl/eecrls.crl
http://incommonca2.internet2.edu/crl/eecrls.crl 		NonCritical; The InCommon CA will issue CRLs and make them available via http. The CA will issue a new CRL each month and by the end of the next business day after receiving any request to revoke a certificate.
Certification Policy
InCommon Policy OID
Internet2 will allocate a Policy OID for the InCommon CA and place this OID in all certificates that it issues
  
CPS Pointer URI http://incommonca.internet2.edu/practices.pdf The redacted public version of the practices document will be available on-line in PDF form. PDF was selected to make accidental modification less likely.
Authority Information Access URI
id-ad-caIssuers		 http://ca1.internet2.edu/bridge/certs/ca-certs.p7b
http://ca2.internet2.edu/bridge/certs/ca-certs.p7b
plus a LDAP url 		At least two AIA URLs located at different points on the Internet will be specified. See Note 3 below for information on the content of the AIA field.
Enhanced Key Usage Server Authentication
Client Authentication 		Server Authentication and Client Authentication will be asserted This extension will be marked non-critical
SubjectAlt Name DNSName shib.school.edu This extension will be marked non-critical. The value for this field is the hostname of the server and must be the same as the CN in the Subject Name.

Notes:
  1. The host names in the URLs are simply examples and are likely to change based on branding decisions and available hostnames.
  2. Likewise, the email addresses and file names are also just examples and will change as needed.
  3. Authority Information Access
    The HTTP URL in the Authority Information Access field will be a pointer to a PKCS-7 object. When the link is accessed, the web server will return the PKCS-7 file using the MIME type application/octet-stream. The PKCS-7 bundle will contain any appropriate cross-certificates that an application may find useful when in constructing the trust path in a bridged PKI environment.