Confirmed users, Administrators
5,526
edits
CA:SalesforceCommunity: Difference between revisions
Jump to navigation
Jump to search
Clarification about technically constrained intermediate certs
m (clarification) |
(Clarification about technically constrained intermediate certs) |
||
| Line 67: | Line 67: | ||
* CAs should '''not''' add records for: | * CAs should '''not''' add records for: | ||
** Intermediate certificates that the CA cannot publicly disclose '''and''' are [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|Technically Constrained]] via Extended Key Usage and Name Constraint settings. All intermediate certificate data added by CAs to Salesforce will be [[CA:SalesforceCommunity#View_Published_Reports|publicly available]]. | ** Intermediate certificates that the CA cannot publicly disclose '''and''' are [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|Technically Constrained]] via Extended Key Usage and Name Constraint settings. All intermediate certificate data added by CAs to Salesforce will be [[CA:SalesforceCommunity#View_Published_Reports|publicly available]]. | ||
** Intermediate certificates are considered to be technically constrained, and do not need to be added to the CA Community in Salesforce if: | |||
*** The certificate has the Extended Key Usage (EKU) extension and it does '''not''' include any of these KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth | |||
*** The root certificate is not enabled with the Websites trust bit | |||
** Revoked intermediate certificates that [[CA:ImprovingRevocation#When_To_Notify_Mozilla|do not need to be added to OneCRL]] | ** Revoked intermediate certificates that [[CA:ImprovingRevocation#When_To_Notify_Mozilla|do not need to be added to OneCRL]] | ||
** Expired intermediate certificates | ** Expired intermediate certificates | ||