A.3. Standard X.509 v3 Certificate Extensions
This section summarizes important information about each certificate. For complete details, see both the X.509 v3 standard, available from the ITU, and
Internet X.509 Public Key Infrastructure - Certificate and CRL Profile (RFC 3280), available at
http://www.ietf.org/rfc/rfc3280.txt. The descriptions of extensions reference the RFC and section number of the standard draft that discusses the extension; the object identifier (OID) for each extension is also provided.
Each extension in a certificate can be designated as critical or noncritical. A certificate-using system, such as a web browser, must reject the certificate if it encounters a critical extension it does not recognize; however, a noncritical extension can be ignored if it is not recognized.
A.3.1. authorityInfoAccess
This extension must be noncritical.
The Authority Information Access extension indicates how and where to access information about the issuer of the certificate. The extension contains an accessMethod and an accessLocation field. accessMethod specifies by OID the type and format of information about the issuer named in accessLocation.
PKIX Part 1 defines one accessMethod (id-ad-caIssuers) to get a list of CAs that have issued certificates higher in the CA chain than the issuer of the certificate using the extension. The accessLocation field then typically contains a URL indicating the location and protocol (LDAP, HTTP, or FTP) used to retrieve the list.
The Online Certificate Status Protocol (RFC 2560), available at
http://www.ietf.org/rfc/rfc2560.txt, defines an
accessMethod (
id-ad-ocsp) for using OCSP to verify certificates. The
accessLocation field then contains a URL indicating the location and protocol used to access an OCSP responder that can validate the certificate.
