NF TLS Client and Server Certificate Profile | |
---|---|
Version | v3 |
Serial Number | Unique Positive Integer in the context of the issuing Root CA and not longer than 20 octets. |
Subject DN | C=<Country> O= Home Domain Name (e.g., in "5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org" format) as defined in clause 28.2 of TS 23.003) |
Validity Period | 3 years or less |
Signature | See clause 6.1.1 for the list of supported signature algorithms. |
Subject Public Key Info | See clause 6.1.1 for the list of supported public key types. |
Extensions | OID | Mandatory | Criticality | Value |
---|---|---|---|---|
keyUsage | {id-ce 15} | TRUE | TRUE | digitalSignature for TLS clients and servers |
extendedKeyUsage | {id-ce 37} | TRUE | FALSE | id-kp-clientAuth TLS clients |
id-kp-serverAuth for TLS servers NF that may be both client and server shall have both OIDs set. | ||||
authorityKeyIdentifier | {id-ce 35} | TRUE | FALSE | This shall be the same as subjectKeyIdentifier of the Issuer's certificate. CA shall utilitize the method (1) as defined in Section 4.2.1.2 of RFC 5280 to generate the value for this extension. |
subjectKeyIdentifier | {id-ce 14} | FALSE | FALSE | This shall be calculated by the issuing CA utilitizing the method (1) as defined in Section 4.2.1.2 of RFC 5280 to generate the value for this extension. |
cRLDistributionPoint | {id-ce 31} | TRUE | FALSE |
distributionPoint
According to RFC 5280 this indicates if the CRL is available for retrieval using access protocol and location with LDAP or HTTP URI. |
subjectAltName | {id-ce 17} | TRUE | TRUE | Multiple subjectAltName entries can be used as a sequence, see below for the detailed instructions. |
nfTypes | {id-pe 34} | TRUE | FALSE | id-pe-nftypes specified in RFC 9310 enables including Network Function types (NFTypes) for the 5G System in X.509 v3 public key certificates. |
authorityInfoAccess | {id-pe 1} | FALSE | FALSE |
id-ad-caIssuers
According to RFC 5280 id-ad-caIssuers describes the referenced description server and the access protocol and location, for example, using one or multiple HTTP and/or LDAP URIs. |
id-ad-ocsp
According to RFC 5280 id-ad-ocsp defines the location of the OCSP responder using HTTP URI. | ||||
TLS feature extension | {id-pe 24} | FALSE | FALSE |
id-pe-tlsfeature
This can be used according to RFC 7633 to prevent downgrade attacks that are not otherwise prevented by the TLS protocol; also to be used with OCSP stapling with TLS server end-entity certificates. |
Extensions | OID | Mandatory | Criticality | Value |
---|---|---|---|---|
keyUsage | {id-ce 15} | TRUE | TRUE | digitalSignature for JWS signing keys in OAuth 2.0 with JWT access tokens and CCA tokens. nonRepudiation (also known as "contentCommitment") is optional when digitalSignature is used instead. |
extendedKeyUsage | {id-ce 37} | TRUE | FALSE | id-kp-jwt for validating the JWS signature in JWT (RFC 9509), for example for CCA token. |
id-kp-oauthAccessTokenSigning for signing OAuth 2.0 access tokens (RFC 9509). |