Tech-invite3GPPspaceIETFspace
959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 5280

Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

Pages: 151
Proposed Standard
Errata
Obsoletes:  328043254630
Updated by:  6818839883999549
Part 7 of 7 – Pages 136 to 151
First   Prev   None

Top   ToC   RFC5280 - Page 136   prevText

Appendix C. Examples

This appendix contains four examples: three certificates and a CRL. The first two certificates and the CRL comprise a minimal certification path. Appendix C.1 contains an annotated hex dump of a "self-signed" certificate issued by a CA whose distinguished name is cn=Example CA,dc=example,dc=com. The certificate contains an RSA public key, and is signed by the corresponding RSA private key. Appendix C.2 contains an annotated hex dump of an end entity certificate. The end entity certificate contains an RSA public key, and is signed by the private key corresponding to the "self-signed" certificate in Appendix C.1. Appendix C.3 contains an annotated hex dump of an end entity certificate that contains a DSA public key with parameters, and is signed with DSA and SHA-1. This certificate is not part of the minimal certification path. Appendix C.4 contains an annotated hex dump of a CRL. The CRL is issued by the CA whose distinguished name is cn=Example CA,dc=example,dc=com and the list of revoked certificates includes the end entity certificate presented in Appendix C.2. The certificates were processed using Peter Gutmann's dumpasn1 utility to generate the output. The source for the dumpasn1 utility is available at <http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c>. The binaries for the certificates and CRLs are available at http://csrc.nist.gov/groups/ST/crypto_apps_infra/documents/pkixtools.
Top   ToC   RFC5280 - Page 137
   In places in this appendix where a distinguished name is specified
   using a string representation, the strings are formatted using the
   rules specified in [RFC4514].

C.1. RSA Self-Signed Certificate

This appendix contains an annotated hex dump of a 578 byte version 3 certificate. The certificate contains the following information: (a) the serial number is 17; (b) the certificate is signed with RSA and the SHA-1 hash algorithm; (c) the issuer's distinguished name is cn=Example CA,dc=example,dc=com; (d) the subject's distinguished name is cn=Example CA,dc=example,dc=com; (e) the certificate was issued on April 30, 2004 and expired on April 30, 2005; (f) the certificate contains a 1024-bit RSA public key; (g) the certificate contains a subject key identifier extension generated using method (1) of Section 4.2.1.2; and (h) the certificate is a CA certificate (as indicated through the basic constraints extension). 0 574: SEQUENCE { 4 423: SEQUENCE { 8 3: [0] { 10 1: INTEGER 2 : } 13 1: INTEGER 17 16 13: SEQUENCE { 18 9: OBJECT IDENTIFIER : sha1withRSAEncryption (1 2 840 113549 1 1 5) 29 0: NULL : } 31 67: SEQUENCE { 33 19: SET { 35 17: SEQUENCE { 37 10: OBJECT IDENTIFIER : domainComponent (0 9 2342 19200300 100 1 25) 49 3: IA5String 'com' : } : } 54 23: SET { 56 21: SEQUENCE { 58 10: OBJECT IDENTIFIER : domainComponent (0 9 2342 19200300 100 1 25) 70 7: IA5String 'example' : }
Top   ToC   RFC5280 - Page 138
         :         }
  79   19:       SET {
  81   17:         SEQUENCE {
  83    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
  88   10:           PrintableString 'Example CA'
         :           }
         :         }
         :       }
 100   30:     SEQUENCE {
 102   13:       UTCTime 30/04/2004 14:25:34 GMT
 117   13:       UTCTime 30/04/2005 14:25:34 GMT
         :       }
 132   67:     SEQUENCE {
 134   19:       SET {
 136   17:         SEQUENCE {
 138   10:           OBJECT IDENTIFIER
         :             domainComponent (0 9 2342 19200300 100 1 25)
 150    3:           IA5String 'com'
         :           }
         :         }
 155   23:       SET {
 157   21:         SEQUENCE {
 159   10:           OBJECT IDENTIFIER
         :             domainComponent (0 9 2342 19200300 100 1 25)
 171    7:           IA5String 'example'
         :           }
         :         }
 180   19:       SET {
 182   17:         SEQUENCE {
 184    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
 189   10:           PrintableString 'Example CA'
         :           }
         :         }
         :       }
 201  159:     SEQUENCE {
 204   13:       SEQUENCE {
 206    9:         OBJECT IDENTIFIER
         :           rsaEncryption (1 2 840 113549 1 1 1)
 217    0:         NULL
         :         }
 219  141:       BIT STRING, encapsulates {
 223  137:         SEQUENCE {
 226  129:           INTEGER
         :             00 C2 D7 97 6D 28 70 AA 5B CF 23 2E 80 70 39 EE
         :             DB 6F D5 2D D5 6A 4F 7A 34 2D F9 22 72 47 70 1D
         :             EF 80 E9 CA 30 8C 00 C4 9A 6E 5B 45 B4 6E A5 E6
         :             6C 94 0D FA 91 E9 40 FC 25 9D C7 B7 68 19 56 8F
         :             11 70 6A D7 F1 C9 11 4F 3A 7E 3F 99 8D 6E 76 A5
Top   ToC   RFC5280 - Page 139
         :             74 5F 5E A4 55 53 E5 C7 68 36 53 C7 1D 3B 12 A6
         :             85 FE BD 6E A1 CA DF 35 50 AC 08 D7 B9 B4 7E 5C
         :             FE E2 A3 2C D1 23 84 AA 98 C0 9B 66 18 9A 68 47
         :             E9
 358    3:           INTEGER 65537
         :           }
         :         }
         :       }
 363   66:     [3] {
 365   64:       SEQUENCE {
 367   29:         SEQUENCE {
 369    3:           OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
 374   22:           OCTET STRING, encapsulates {
 376   20:             OCTET STRING
         :               08 68 AF 85 33 C8 39 4A 7A F8 82 93 8E 70 6A 4A
         :               20 84 2C 32
         :             }
         :           }
 398   14:         SEQUENCE {
 400    3:           OBJECT IDENTIFIER keyUsage (2 5 29 15)
 405    1:           BOOLEAN TRUE
 408    4:           OCTET STRING, encapsulates {
 410    2:             BIT STRING 1 unused bits
         :               '0000011'B
         :             }
         :           }
 414   15:         SEQUENCE {
 416    3:           OBJECT IDENTIFIER basicConstraints (2 5 29 19)
 421    1:           BOOLEAN TRUE
 424    5:           OCTET STRING, encapsulates {
 426    3:             SEQUENCE {
 428    1:               BOOLEAN TRUE
         :               }
         :             }
         :           }
         :         }
         :       }
         :     }
 431   13:   SEQUENCE {
 433    9:     OBJECT IDENTIFIER
         :         sha1withRSAEncryption (1 2 840 113549 1 1 5)
 444    0:     NULL
         :     }
 446  129:   BIT STRING
         :     6C F8 02 74 A6 61 E2 64 04 A6 54 0C 6C 72 13 AD
         :     3C 47 FB F6 65 13 A9 85 90 33 EA 76 A3 26 D9 FC
         :     D1 0E 15 5F 28 B7 EF 93 BF 3C F3 E2 3E 7C B9 52
         :     FC 16 6E 29 AA E1 F4 7A 6F D5 7F EF B3 95 CA F3
Top   ToC   RFC5280 - Page 140
         :     66 88 83 4E A1 35 45 84 CB BC 9B B8 C8 AD C5 5E
         :     46 D9 0B 0E 8D 80 E1 33 2B DC BE 2B 92 7E 4A 43
         :     A9 6A EF 8A 63 61 B3 6E 47 38 BE E8 0D A3 67 5D
         :     F3 FA 91 81 3C 92 BB C5 5F 25 25 EB 7C E7 D8 A1
         :   }

C.2. End Entity Certificate Using RSA

This appendix contains an annotated hex dump of a 629-byte version 3 certificate. The certificate contains the following information: (a) the serial number is 18; (b) the certificate is signed with RSA and the SHA-1 hash algorithm; (c) the issuer's distinguished name is cn=Example CA,dc=example,dc=com; (d) the subject's distinguished name is cn=End Entity,dc=example,dc=com; (e) the certificate was valid from September 15, 2004 through March 15, 2005; (f) the certificate contains a 1024-bit RSA public key; (g) the certificate is an end entity certificate, as the basic constraints extension is not present; (h) the certificate contains an authority key identifier extension matching the subject key identifier of the certificate in appendix C.1; and (i) the certificate includes one alternative name -- an electronic mail address (rfc822Name) of "end.entity@example.com". 0 625: SEQUENCE { 4 474: SEQUENCE { 8 3: [0] { 10 1: INTEGER 2 : } 13 1: INTEGER 18 16 13: SEQUENCE { 18 9: OBJECT IDENTIFIER : sha1withRSAEncryption (1 2 840 113549 1 1 5) 29 0: NULL : } 31 67: SEQUENCE { 33 19: SET { 35 17: SEQUENCE { 37 10: OBJECT IDENTIFIER : domainComponent (0 9 2342 19200300 100 1 25) 49 3: IA5String 'com' : } : } 54 23: SET {
Top   ToC   RFC5280 - Page 141
  56   21:         SEQUENCE {
  58   10:           OBJECT IDENTIFIER
         :             domainComponent (0 9 2342 19200300 100 1 25)
  70    7:           IA5String 'example'
         :           }
         :         }
  79   19:       SET {
  81   17:         SEQUENCE {
  83    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
  88   10:           PrintableString 'Example CA'
         :           }
         :         }
         :       }
 100   30:     SEQUENCE {
 102   13:       UTCTime 15/09/2004 11:48:21 GMT
 117   13:       UTCTime 15/03/2005 11:48:21 GMT
         :       }
 132   67:     SEQUENCE {
 134   19:       SET {
 136   17:         SEQUENCE {
 138   10:           OBJECT IDENTIFIER
         :             domainComponent (0 9 2342 19200300 100 1 25)
 150    3:           IA5String 'com'
         :           }
         :         }
 155   23:       SET {
 157   21:         SEQUENCE {
 159   10:           OBJECT IDENTIFIER
         :             domainComponent (0 9 2342 19200300 100 1 25)
 171    7:           IA5String 'example'
         :           }
         :         }
 180   19:       SET {
 182   17:         SEQUENCE {
 184    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
 189   10:           PrintableString 'End Entity'
         :           }
         :         }
         :       }
 201  159:     SEQUENCE {
 204   13:       SEQUENCE {
 206    9:         OBJECT IDENTIFIER
         :           rsaEncryption (1 2 840 113549 1 1 1)
 217    0:         NULL
         :         }
 219  141:       BIT STRING, encapsulates {
 223  137:         SEQUENCE {
 226  129:           INTEGER
Top   ToC   RFC5280 - Page 142
         :             00 E1 6A E4 03 30 97 02 3C F4 10 F3 B5 1E 4D 7F
         :             14 7B F6 F5 D0 78 E9 A4 8A F0 A3 75 EC ED B6 56
         :             96 7F 88 99 85 9A F2 3E 68 77 87 EB 9E D1 9F C0
         :             B4 17 DC AB 89 23 A4 1D 7E 16 23 4C 4F A8 4D F5
         :             31 B8 7C AA E3 1A 49 09 F4 4B 26 DB 27 67 30 82
         :             12 01 4A E9 1A B6 C1 0C 53 8B 6C FC 2F 7A 43 EC
         :             33 36 7E 32 B2 7B D5 AA CF 01 14 C6 12 EC 13 F2
         :             2D 14 7A 8B 21 58 14 13 4C 46 A3 9A F2 16 95 FF
         :             23
 358    3:           INTEGER 65537
         :           }
         :         }
         :       }
 363  117:     [3] {
 365  115:       SEQUENCE {
 367   33:         SEQUENCE {
 369    3:           OBJECT IDENTIFIER subjectAltName (2 5 29 17)
 374   26:           OCTET STRING, encapsulates {
 376   24:             SEQUENCE {
 378   22:               [1] 'end.entity@example.com'
         :               }
         :             }
         :           }
 402   29:         SEQUENCE {
 404    3:           OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
 409   22:           OCTET STRING, encapsulates {
 411   20:             OCTET STRING
         :               17 7B 92 30 FF 44 D6 66 E1 90 10 22 6C 16 4F C0
         :               8E 41 DD 6D
         :             }
         :           }
 433   31:         SEQUENCE {
 435    3:           OBJECT IDENTIFIER
         :             authorityKeyIdentifier (2 5 29 35)
 440   24:           OCTET STRING, encapsulates {
 442   22:             SEQUENCE {
 444   20:               [0]
         :                 08 68 AF 85 33 C8 39 4A 7A F8 82 93 8E 70 6A
         :                 4A 20 84 2C 32
         :               }
         :             }
         :           }
 466   14:         SEQUENCE {
 468    3:           OBJECT IDENTIFIER keyUsage (2 5 29 15)
 473    1:           BOOLEAN TRUE
 476    4:           OCTET STRING, encapsulates {
 478    2:             BIT STRING 6 unused bits
         :               '11'B
Top   ToC   RFC5280 - Page 143
         :             }
         :           }
         :         }
         :       }
         :     }
 482   13:   SEQUENCE {
 484    9:     OBJECT IDENTIFIER
         :         sha1withRSAEncryption (1 2 840 113549 1 1 5)
 495    0:     NULL
         :     }
 497  129:   BIT STRING
         :     00 20 28 34 5B 68 32 01 BB 0A 36 0E AD 71 C5 95
         :     1A E1 04 CF AE AD C7 62 14 A4 1B 36 31 C0 E2 0C
         :     3D D9 1E C0 00 DC 10 A0 BA 85 6F 41 CB 62 7A B7
         :     4C 63 81 26 5E D2 80 45 5E 33 E7 70 45 3B 39 3B
         :     26 4A 9C 3B F2 26 36 69 08 79 BB FB 96 43 77 4B
         :     61 8B A1 AB 91 64 E0 F3 37 61 3C 1A A3 A4 C9 8A
         :     B2 BF 73 D4 4D E4 58 E4 62 EA BC 20 74 92 86 0E
         :     CE 84 60 76 E9 73 BB C7 85 D3 91 45 EA 62 5D CD
         :   }

C.3. End Entity Certificate Using DSA

This appendix contains an annotated hex dump of a 914-byte version 3 certificate. The certificate contains the following information: (a) the serial number is 256; (b) the certificate is signed with DSA and the SHA-1 hash algorithm; (c) the issuer's distinguished name is cn=Example DSA CA,dc=example,dc=com; (d) the subject's distinguished name is cn=DSA End Entity,dc=example,dc=com; (e) the certificate was issued on May 2, 2004 and expired on May 2, 2005; (f) the certificate contains a 1024-bit DSA public key with parameters; (g) the certificate is an end entity certificate (not a CA certificate); (h) the certificate includes a subject alternative name of "<http://www.example.com/users/DSAendentity.html>" and an issuer alternative name of "<http://www.example.com>" -- both are URLs;
Top   ToC   RFC5280 - Page 144
   (i)  the certificate includes an authority key identifier extension
        and a certificate policies extension specifying the policy OID
        2.16.840.1.101.3.2.1.48.9; and

   (j)  the certificate includes a critical key usage extension
        specifying that the public key is intended for verification of
        digital signatures.

   0  910: SEQUENCE {
   4  846:   SEQUENCE {
   8    3:     [0] {
  10    1:       INTEGER 2
         :       }
  13    2:     INTEGER 256
  17    9:     SEQUENCE {
  19    7:       OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3)
         :       }
  28   71:     SEQUENCE {
  30   19:       SET {
  32   17:         SEQUENCE {
  34   10:           OBJECT IDENTIFIER
         :             domainComponent (0 9 2342 19200300 100 1 25)
  46    3:           IA5String 'com'
         :           }
         :         }
  51   23:       SET {
  53   21:         SEQUENCE {
  55   10:           OBJECT IDENTIFIER
         :             domainComponent (0 9 2342 19200300 100 1 25)
  67    7:           IA5String 'example'
         :           }
         :         }
  76   23:       SET {
  78   21:         SEQUENCE {
  80    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
  85   14:           PrintableString 'Example DSA CA'
         :           }
         :         }
         :       }
 101   30:     SEQUENCE {
 103   13:       UTCTime 02/05/2004 16:47:38 GMT
 118   13:       UTCTime 02/05/2005 16:47:38 GMT
         :       }
 133   71:     SEQUENCE {
 135   19:       SET {
 137   17:         SEQUENCE {
 139   10:           OBJECT IDENTIFIER
         :             domainComponent (0 9 2342 19200300 100 1 25)
Top   ToC   RFC5280 - Page 145
 151    3:           IA5String 'com'
         :           }
         :         }
 156   23:       SET {
 158   21:         SEQUENCE {
 160   10:           OBJECT IDENTIFIER
         :             domainComponent (0 9 2342 19200300 100 1 25)
 172    7:           IA5String 'example'
         :           }
         :         }
 181   23:       SET {
 183   21:         SEQUENCE {
 185    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
 190   14:           PrintableString 'DSA End Entity'
         :           }
         :         }
         :       }
 206  439:     SEQUENCE {
 210  300:       SEQUENCE {
 214    7:         OBJECT IDENTIFIER dsa (1 2 840 10040 4 1)
 223  287:         SEQUENCE {
 227  129:           INTEGER
         :             00 B6 8B 0F 94 2B 9A CE A5 25 C6 F2 ED FC FB 95
         :             32 AC 01 12 33 B9 E0 1C AD 90 9B BC 48 54 9E F3
         :             94 77 3C 2C 71 35 55 E6 FE 4F 22 CB D5 D8 3E 89
         :             93 33 4D FC BD 4F 41 64 3E A2 98 70 EC 31 B4 50
         :             DE EB F1 98 28 0A C9 3E 44 B3 FD 22 97 96 83 D0
         :             18 A3 E3 BD 35 5B FF EE A3 21 72 6A 7B 96 DA B9
         :             3F 1E 5A 90 AF 24 D6 20 F0 0D 21 A7 D4 02 B9 1A
         :             FC AC 21 FB 9E 94 9E 4B 42 45 9E 6A B2 48 63 FE
         :             43
 359   21:           INTEGER
         :             00 B2 0D B0 B1 01 DF 0C 66 24 FC 13 92 BA 55 F7
         :             7D 57 74 81 E5
 382  129:           INTEGER
         :             00 9A BF 46 B1 F5 3F 44 3D C9 A5 65 FB 91 C0 8E
         :             47 F1 0A C3 01 47 C2 44 42 36 A9 92 81 DE 57 C5
         :             E0 68 86 58 00 7B 1F F9 9B 77 A1 C5 10 A5 80 91
         :             78 51 51 3C F6 FC FC CC 46 C6 81 78 92 84 3D F4
         :             93 3D 0C 38 7E 1A 5B 99 4E AB 14 64 F6 0C 21 22
         :             4E 28 08 9C 92 B9 66 9F 40 E8 95 F6 D5 31 2A EF
         :             39 A2 62 C7 B2 6D 9E 58 C4 3A A8 11 81 84 6D AF
         :             F8 B4 19 B4 C2 11 AE D0 22 3B AA 20 7F EE 1E 57
         :             18
         :           }
         :         }
 514  132:       BIT STRING, encapsulates {
 518  128:         INTEGER
Top   ToC   RFC5280 - Page 146
         :           30 B6 75 F7 7C 20 31 AE 38 BB 7E 0D 2B AB A0 9C
         :           4B DF 20 D5 24 13 3C CD 98 E5 5F 6C B7 C1 BA 4A
         :           BA A9 95 80 53 F0 0D 72 DC 33 37 F4 01 0B F5 04
         :           1F 9D 2E 1F 62 D8 84 3A 9B 25 09 5A 2D C8 46 8E
         :           2B D4 F5 0D 3B C7 2D C6 6C B9 98 C1 25 3A 44 4E
         :           8E CA 95 61 35 7C CE 15 31 5C 23 13 1E A2 05 D1
         :           7A 24 1C CB D3 72 09 90 FF 9B 9D 28 C0 A1 0A EC
         :           46 9F 0D B8 D0 DC D0 18 A6 2B 5E F9 8F B5 95 BE
         :         }
         :       }
 649  202:     [3] {
 652  199:       SEQUENCE {
 655   57:         SEQUENCE {
 657    3:           OBJECT IDENTIFIER subjectAltName (2 5 29 17)
 662   50:           OCTET STRING, encapsulates {
 664   48:             SEQUENCE {
 666   46:               [6]
         :                 'http://www.example.com/users/DSAendentity.'
         :                 'html'
         :               }
         :             }
         :           }
 714   33:         SEQUENCE {
 716    3:           OBJECT IDENTIFIER issuerAltName (2 5 29 18)
 721   26:           OCTET STRING, encapsulates {
 723   24:             SEQUENCE {
 725   22:               [6] 'http://www.example.com'
         :               }
         :             }
         :           }
 749   29:         SEQUENCE {
 751    3:           OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
 756   22:           OCTET STRING, encapsulates {
 758   20:             OCTET STRING
         :               DD 25 66 96 43 AB 78 11 43 44 FE 95 16 F9 D9 B6
         :               B7 02 66 8D
         :             }
         :           }
 780   31:         SEQUENCE {
 782    3:           OBJECT IDENTIFIER
         :             authorityKeyIdentifier (2 5 29 35)
 787   24:           OCTET STRING, encapsulates {
 789   22:             SEQUENCE {
 791   20:               [0]
         :                 86 CA A5 22 81 62 EF AD 0A 89 BC AD 72 41 2C
         :                 29 49 F4 86 56
         :               }
         :             }
Top   ToC   RFC5280 - Page 147
         :           }
 813   23:         SEQUENCE {
 815    3:           OBJECT IDENTIFIER certificatePolicies (2 5 29 32)
 820   16:           OCTET STRING, encapsulates {
 822   14:             SEQUENCE {
 824   12:               SEQUENCE {
 826   10:                 OBJECT IDENTIFIER '2 16 840 1 101 3 2 1 48 9'
         :                 }
         :               }
         :             }
         :           }
 838   14:         SEQUENCE {
 840    3:           OBJECT IDENTIFIER keyUsage (2 5 29 15)
 845    1:           BOOLEAN TRUE
 848    4:           OCTET STRING, encapsulates {
 850    2:             BIT STRING 7 unused bits
         :               '1'B (bit 0)
         :             }
         :           }
         :         }
         :       }
         :     }
 854    9:   SEQUENCE {
 856    7:     OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3)
         :     }
 865   47:   BIT STRING, encapsulates {
 868   44:     SEQUENCE {
 870   20:       INTEGER
         :         65 57 07 34 DD DC CA CC 5E F4 02 F4 56 42 2C 5E
         :         E1 B3 3B 80
 892   20:       INTEGER
         :         60 F4 31 17 CA F4 CF FF EE F4 08 A7 D9 B2 61 BE
         :         B1 C3 DA BF
         :       }
         :     }
         :   }

C.4. Certificate Revocation List

This appendix contains an annotated hex dump of a version 2 CRL with two extensions (cRLNumber and authorityKeyIdentifier). The CRL was issued by cn=Example CA,dc=example,dc=com on February 5, 2005; the next scheduled issuance was February 6, 2005. The CRL includes one revoked certificate: serial number 18, which was revoked on November 19, 2004 due to keyCompromise. The CRL itself is number 12, and it was signed with RSA and SHA-1.
Top   ToC   RFC5280 - Page 148
   0  352: SEQUENCE {
   4  202:   SEQUENCE {
   7    1:     INTEGER 1
  10   13:     SEQUENCE {
  12    9:       OBJECT IDENTIFIER
         :         sha1withRSAEncryption (1 2 840 113549 1 1 5)
  23    0:       NULL
         :       }
  25   67:     SEQUENCE {
  27   19:       SET {
  29   17:         SEQUENCE {
  31   10:           OBJECT IDENTIFIER
         :             domainComponent (0 9 2342 19200300 100 1 25)
  43    3:           IA5String 'com'
         :           }
         :         }
  48   23:       SET {
  50   21:         SEQUENCE {
  52   10:           OBJECT IDENTIFIER
         :             domainComponent (0 9 2342 19200300 100 1 25)
  64    7:           IA5String 'example'
         :           }
         :         }
  73   19:       SET {
  75   17:         SEQUENCE {
  77    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
  82   10:           PrintableString 'Example CA'
         :           }
         :         }
         :       }
  94   13:     UTCTime 05/02/2005 12:00:00 GMT
 109   13:     UTCTime 06/02/2005 12:00:00 GMT
 124   34:     SEQUENCE {
 126   32:       SEQUENCE {
 128    1:         INTEGER 18
 131   13:         UTCTime 19/11/2004 15:57:03 GMT
 146   12:         SEQUENCE {
 148   10:           SEQUENCE {
 150    3:             OBJECT IDENTIFIER cRLReason (2 5 29 21)
 155    3:             OCTET STRING, encapsulates {
 157    1:               ENUMERATED 1
         :               }
         :             }
         :           }
         :         }
         :       }
 160   47:     [0] {
 162   45:       SEQUENCE {
Top   ToC   RFC5280 - Page 149
 164   31:         SEQUENCE {
 166    3:           OBJECT IDENTIFIER
         :             authorityKeyIdentifier (2 5 29 35)
 171   24:           OCTET STRING, encapsulates {
 173   22:             SEQUENCE {
 175   20:               [0]
         :                 08 68 AF 85 33 C8 39 4A 7A F8 82 93 8E 70 6A
         :                 4A 20 84 2C 32
         :               }
         :             }
         :           }
 197   10:         SEQUENCE {
 199    3:           OBJECT IDENTIFIER cRLNumber (2 5 29 20)
 204    3:           OCTET STRING, encapsulates {
 206    1:             INTEGER 12
         :             }
         :           }
         :         }
         :       }
         :     }
 209   13:   SEQUENCE {
 211    9:     OBJECT IDENTIFIER
         :         sha1withRSAEncryption (1 2 840 113549 1 1 5)
 222    0:     NULL
         :     }
 224  129:   BIT STRING
         :     22 DC 18 7D F7 08 CE CC 75 D0 D0 6A 9B AD 10 F4
         :     76 23 B4 81 6E B5 6D BE 0E FB 15 14 6C C8 17 6D
         :     1F EE 90 17 A2 6F 60 E4 BD AA 8C 55 DE 8E 84 6F
         :     92 F8 9F 10 12 27 AF 4A D4 2F 85 E2 36 44 7D AA
         :     A3 4C 25 38 15 FF 00 FD 3E 7E EE 3D 26 12 EB D8
         :     E7 2B 62 E2 2B C3 46 80 EF 78 82 D1 15 C6 D0 9C
         :     72 6A CB CE 7A ED 67 99 8B 6E 70 81 7D 43 42 74
         :     C1 A6 AF C1 55 17 A2 33 4C D6 06 98 2B A4 FC 2E
         :   }
Top   ToC   RFC5280 - Page 150

Authors' Addresses

David Cooper National Institute of Standards and Technology 100 Bureau Drive, Mail Stop 8930 Gaithersburg, MD 20899-8930 USA EMail: david.cooper@nist.gov Stefan Santesson Microsoft One Microsoft Way Redmond, WA 98052 USA EMail: stefans@microsoft.com Stephen Farrell Distributed Systems Group Computer Science Department Trinity College Dublin Ireland EMail: stephen.farrell@cs.tcd.ie Sharon Boeyen Entrust 1000 Innovation Drive Ottawa, Ontario Canada K2K 3E7 EMail: sharon.boeyen@entrust.com Russell Housley Vigil Security, LLC 918 Spring Knoll Drive Herndon, VA 20170 USA EMail: housley@vigilsec.com Tim Polk National Institute of Standards and Technology 100 Bureau Drive, Mail Stop 8930 Gaithersburg, MD 20899-8930 USA EMail: wpolk@nist.gov
Top   ToC   RFC5280 - Page 151
Full Copyright Statement

   Copyright (C) The IETF Trust (2008).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.