US Higher Education Root (USHER) Foundation
Certification Authority Certificate Profile

This profile is for Campus Authority Certificates Signed by the USHER Foundation CA

Draft Version 1: March 8, 2006

HEPKI CA Certificate Profile Summary Table

Field Name Value Type Value or Example Specified Explanation

Version integer 0x2 Y A version 3 certificate is specified

Serial Number a unique integer 2 Y

Signature Algorithm Algorithm SHA1/RSA Y

Issuer DN cn=US Higher Education Root, ou=Foundation, o=USHERCA, c=US Y USHER did not use DC Naming to avoid potential interoperability problems.

Validity Time Valid until February 26, 2026 Y Expires the day before the USHER Foundation root certificate. We plan to rekey after 10 years. Sooner if needed, perhaps later if possible so campuses will most likely need new Authority Certificates before the 20 year period expires.

Subject DN cn=CampusCA Name, l=CampusCity, s=CampusState, o=University of X, c=US N DN as specified by the campus in their certificate request. DN must be a commonly used name for the institution.

Public Key RSA Y Campuses are advised to use a 2048 bit RSA key pair. USHER Foundation will sign certificate requests that contain a 1024 bit RSA key.

Certificate Extensions

Key Usage Certificate Signing , Off-line CRL Signing , CRL Signing(06) Y This extension will be marked critical

Basic Constraints Constraints Subject Type = CA; PATH Length Constraint=none Y Critical

Certificate Policy USHER Foundation CA Policy OID 1.3.6.1.4.1.24726.2.2 Y Not critical

CPS Pointer URI http://www.usherca.org/practices/cps.pdf Y Not critical. A redacted version of the practices document will be made available on-line in PDF format

CRL Distribution Points URI http://h1.usherca.org/crl/foundation/campusauthority.crl
http://h2.usherca.org/crl/foundation/campusauthority.crl Y NonCritical; The USHER Foundation CA will issue CRLs and make them available via http. The CA will issue a new CRL each month and by the end of the next business day after receiving any request to revoke a certificate.

Authority Information Access URI
id-ad-caIssuers http://h1.usherca.org/aia/foundation/ca-certs.p7b
http://h2.usherca.org/aia/foundation/ca-certs.p7b Y At least two AIA URLs located at different points on the Internet will be specified. Does HEBCA need anything special here?

Authority Key Identifier KeyID See RFC-3280 for details Y Not critical. Only the keyIdentifier field will be populated.

Subject Key Identifier KeyID See RFC-3280 for details Y Not critical. Only the keyIdentifier field will be populated.

HEPKI CA Certificate Profile Summary Table
Field Name	Value Type	Value or Example	Specified	Explanation
Version	integer	0x2	Y	A version 3 certificate is specified
Serial Number	a unique integer	2	Y
Signature Algorithm	Algorithm	SHA1/RSA	Y
Issuer	DN	cn=US Higher Education Root, ou=Foundation, o=USHERCA, c=US	Y	USHER did not use DC Naming to avoid potential interoperability problems.
Validity	Time	Valid until February 26, 2026	Y	Expires the day before the USHER Foundation root certificate. We plan to rekey after 10 years. Sooner if needed, perhaps later if possible so campuses will most likely need new Authority Certificates before the 20 year period expires.
Subject	DN	cn=CampusCA Name, l=CampusCity, s=CampusState, o=University of X, c=US	N	DN as specified by the campus in their certificate request. DN must be a commonly used name for the institution.
Public Key	RSA		Y	Campuses are advised to use a 2048 bit RSA key pair. USHER Foundation will sign certificate requests that contain a 1024 bit RSA key.
Certificate Extensions
Key Usage		Certificate Signing , Off-line CRL Signing , CRL Signing(06)	Y	This extension will be marked critical
Basic Constraints	Constraints	Subject Type = CA; PATH Length Constraint=none	Y	Critical
Certificate Policy	USHER Foundation CA Policy OID	1.3.6.1.4.1.24726.2.2	Y	Not critical
CPS Pointer	URI	http://www.usherca.org/practices/cps.pdf	Y	Not critical. A redacted version of the practices document will be made available on-line in PDF format
CRL Distribution Points	URI	http://h1.usherca.org/crl/foundation/campusauthority.crl http://h2.usherca.org/crl/foundation/campusauthority.crl	Y	NonCritical; The USHER Foundation CA will issue CRLs and make them available via http. The CA will issue a new CRL each month and by the end of the next business day after receiving any request to revoke a certificate.
Authority Information Access	URI id-ad-caIssuers	http://h1.usherca.org/aia/foundation/ca-certs.p7b http://h2.usherca.org/aia/foundation/ca-certs.p7b	Y	At least two AIA URLs located at different points on the Internet will be specified. Does HEBCA need anything special here?
Authority Key Identifier	KeyID	See RFC-3280 for details	Y	Not critical. Only the keyIdentifier field will be populated.
Subject Key Identifier	KeyID	See RFC-3280 for details	Y	Not critical. Only the keyIdentifier field will be populated.

CA Certificate Profile Summary Table

Specified column legend

Y	The profile specifies the use of this field as documented.
N	The profile does not specify the usage but may recommend a way to use the field.
?	Still undecided.
italics	Example of an optional element.

US Higher Education Root (USHER) Foundation Certification Authority Certificate Profile

This profile is for Campus Authority Certificates Signed by the USHER Foundation CA

CA Certificate Profile Summary Table

US Higher Education Root (USHER) Foundation
Certification Authority Certificate Profile