| Field | Value and Requirements |
|---|---|
| Version | V3 (2) |
| Serial Number | Serial number shall be a unique positive integer with a minimum of 64 bits of entropy generated by a CSPRNG. Serial number shall not exceed 20 bytes in length. |
| Issuer Signature Algorithm | sha256 WithRSAEncryption {1 2 840 113549 1 1 11} |
| Issuer Distinguished Name | Distinguished Name of the Issuing CA for the OCSP responder certificate |
| Validity Period | Encoded as UTCTime for dates through 2049 and GeneralizedTime for dates thereafter No longer than 45 days from date of issue. |
| Subject Distinguished Name | Unique X.500 CA DN as specified in Section 7.1.4 of this CP. The commonName (CN) shall include an indicator of the certificate subject as an OCSP Responder. Organization Name (required) and shall contain U.S. Government (o=U.S. Government) Country (required) and shall be c=US Each X.500 DN is a printableString where possible and contains a single attribute type and attribute value tuple. Example: cn=OCSP Signing Certificate 1, o=U.S. Government, c=US |
| Subject Public Key Information | rsaEncryption {1 2 840 113549 1 1 1} For RSA, parameters field is populated with NULL. For RSA public keys, modulus shall be 2048, 3072, or 4096 bits. Public exponent e shall be an odd positive integer such that 2^16+1 < =e < 2^256-1. |
| Issuer Signature | sha256 WithRSAEncryption {1 2 840 113549 1 1 11} |
| Extension | Required | Critical | Value and Requirements |
|---|---|---|---|
| Authority Key Identifier | Mandatory | False | Octet String Derived using the SHA-1 hash of the Issuer’s public key in accordance with RFC 5280. Must match SKI of issuing CA Certificate |
| Subject Key Identifier | Mandatory | False | Octet String 20 byte SHA-1 hash of the binary DER encoding of the OCSP responder public key in accordance with RFC 5280 |
| Key Usage | Mandatory | True | Required Key Usage: digitalSignature Prohibited Key Usage: All others |
| id-pkix-ocsp-nocheck {1.3.6.1.5.5.7.48.1.5} | Mandatory | False | Null |
| Extended Key Usage | Mandatory | True | Required Extended Key Usage: id-kp-OCSPSigning {1.3.6.1.5.5.7.3.9} Prohibited Extended Key Usage: All others, including anyEKU EKU {2.5.29.37.0} |
| Certificate Policies | Mandatory | False | Required Certificate Policy Fields: See Section 7.1.6.4. The certificate shall include all the certificate policy OIDs for all certificates issued by the CA and covered by the OCSP responses. Optional Certificate Policy Fields: certificatePolicies:policyQualifiers policyQualifierId id-qt 1 qualifier:cPSuri |
| Authority Information Access | Optional | False | Required AIA Fields: Id-ad-caIssuers Publicly accessible URI of Issuing CA’s certificate accessMethod = {1.3.6.1.5.5.7.48.2} All instances of this access method shall include the HTTP URI name form to specify an HTTP accessible location containing either a single DER encoded certificate, or a BER or DER encoded “certs-only” CMS message as specified in [RFC 5272]. |