HTTPS Identity Certificate attributes

Last Updated : Aug 20, 2020 |

Generate the Session Manager HTTPS Identity Certificate with the following X509v3 extensions and attributes.

Attribute

Value

Required?

Authority Information Access

OCSP - URI:http://{ocsp-server}{:ocsp-port}{/ocsp-path}

Optional

Authority Key Identifier

hash

Required1

CRL Distribution Points

URI:http://{crl-server}{:crl-port}{/crl-path}

URI:ldap://{crl-server}{:crl-port}{/crl-dn}2

Recommended

Recommended

Extended Key Usage

id-kp-serverAuth = 1.3.6.1.5.5.7.3.2.1

id-kp-clientAuth = 1.3.6.1.5.5.7.3.2.2

Required

Optional3

Key Usage

digitalSignature

nonRepudiation

keyEncipherment

dataEncipherment

All values are Optional. 4

Subject

CN={fqdn}

Required

Subject Alternative Name

IP:{ip}

DNS:{fqdn}

Optional 5

Required

Subject Key Identifier

hash

Recommended

Validity

validity period

Required
1 Authority key identifiers are required elements in end entity certificates to properly establish the trust chain.
2 URLS and DNs that identify the location of CRLs in LDAP directories can be complex. Entities must be able to handle characters as defined by the LDAP URI specification in RFC 4516.
3 Required if the same Identity Certificate is used when the server is acting as a client.
4 Values may vary as specified in RFC 5280 and RFC 3279.
5 For 96xx, 1XC SIP, and Avaya communicator SIP endpoints, PPM is defined as an IP address so PPM certificates must contain the IP:{ip} Subject Alternative Name entry when endpoints 96xx , 1XC SIP, and Avaya communicator SIP are part of the solution.