It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

PKI Certificate Settings

  • Last updated on

For each PKI certificate, you can view and edit the settings in the following sections:  

General Settings

SettingSetting DescriptionOptions
Keysize in BitsSpecifies the key size in bits. Normally the value ranges from 512 to 4096 bits (default: 1024). The key size must be at least 1024 bits for end-user certificates. When the lifetime of the CA is 10 years or longer, the key size must be at least 2048 bits (Recommended: 4096).
  • 512
  • 1024 (Default)
  • 2048
  • 4096
Duration of ValidityIn days, specifies how long the certificate remains valid (default: 5000). For example, enter 5475 days for a root certificate that will remain valid for 15 years (365 * 15).
Key AlgorithmSpecifies the algorithm used for key creation
  • rsa (Default)
  • dsa
Key EncryptionSpecifies the algorithm used for key encryption
  • TripleDES (Default)
  • IDEA
  • DES
Message Digest AlgorithmSpecifies the hash algorithm 
  • md2
  • md5
  • mdc2
  • sha1 (Default)
PasswordDefines the certificate password.
Validate PasswordValidates the certificate password.

Subject

SettingSetting Description
Common NameSpecifies the name of the certificate. (Do not use special characters and underscores in the common name!)
Email AddressSpecifies the email address of the certificate owner
Country State or Province / Locality / Organisation / Organisation UnitSpecifies the address of the organization.

V3 Extensions

For more information on V3 extensions, see RFC 3280 at http://www.ietf.org/rfc/rfc3280.txt.

If you select the Critical check box for an application, the application must use V3 extensions. The certificate may then only be used as specified in the keyUsage and extendedKeyUsage settings.

SettingSetting Description OID/CANBECRITValues
basicConstraints

Defines whether the certificate is a CA (CA:true) or not (CA:false - default).

The CA boolean indicates whether the certified public key belongs to a CA.

If the CA boolean is not asserted, then the keyCertSign bit in the key usage extension MUST NOT be asserted.

OID = 2.5.29.19

CANBECRIT=true

  • true
  • false


keyUsage

Specifies the purpose of the key contained in the certificate. This extension is useful when the key can be used for more than one operation.


OID = 2.5.29.15

BIT STRING

  • digitalSignature - (0)
  • nonRepudiation - (1)
  • keyEncipherment - (2)
  • dataEncipherment - (3)
  • keyAgreement - (4)
  • keyCertSign - (5)
  • cRLSign - (6)
  • encipherOnly - (7)
  • decipherOnly - (8)
  • 0) sign for entity authentication and data origin authentication with integrity 1) sign with anon-repudiation service.
  • 2) encrypt keys for transport using RSA like algorithms.
  • 3) encrypt data.
  • 4) exchange keys using D-H like algorithms.
  • 5) sign certificates.
  • 6) sign CRLs.
  • 7) encrypt data using D-H like algorithms.
  • 8) decrypt data using D-H like algorithms.
extendedKeyUsage

Indicates one or more purposes for which the certified public key may be used, in addition to purpose specifies by the keyUsage extension. In general, this extension is only used in end entity certificates.

OID = 2.5.29.37

CANBECRIT=true

  • serverAuth
  • clientAuth
  • emailProtection
  • codeSigning
  • timeStamping
  • OCSPSigning
  • smarCardLogon
  • secureMail
  • msCodInd (MS Individual Code Signing)
  • msCodeCom (MS Commercial Code Signing)
  • msCTLSign (MS Trust List Signing)
  • msSGC (MS Server Gated Cryptography)
  • msEFS (MS Encrypted File System)
subjectKeyIdentifier

Hash of the subject. This extension provides a means of identifying certificates that contain a particular public key.

OID = 2.5.29.14

CANBECRIT=false

hash

authorityKeyIdentifierSpecifies the public key that is used to verify the signature on this certificate or CRL.

OID = 2.5.29.35

CANBECRIT=false

  • keyid:always
  • keyid:copy
  • issuer:always
  • issuer:copy
authorityInfoAccess

Indicates how to access CA information and services for the issuer of the certificate in which the extension appears. Information and services may include online validation services and CA policy data. (The location of CRLs is not specified in this extension; that information is provided by the cRLDistributionPoints extension.) This extension may be included in end entity or CA certificates, and it MUST be non-critical.

OID = 1.3.6.1.5.5.5.7.1.1

A string. For example:
OCSP;URI: ocsp.my.host/ or
caIssuers;URI: my.ca/ca.html

subjectAltName

Specifies additional identities that are bound to the subject of the certificate. You can specify an email address, a DNS name, an IP address, a uniform resource identifier (URI), MS Domain GUID, or MS Domain User.

OID = 2.5.29.17

CANBECRIT=true

  • Email - enter an email address or "copy" for copying from subject
  • DNS
  • URI
  • IP
  • MS Domain GUID - for Smartcard Server
  • MS Domain User - for Smartcard User
issuerAltNameAssociates Internet-style identities with the certificate issuer.

OID = 2.5.29.18

CANBECRIT=true

issuer:copy


crlDistributionPoints
Specifies the distribution points for the Certificate Revocation List (CRL).

OID = 2.5.29.31

This lists the distribution points for CRLs.

Example:
ldap://some.ldap-test.eu/cn=rootcer
t,dc=ldap-test,dc=eu
some.ldap-test.eu/crl/rootcert.crl
DomainControllerSpecifies a Microsoft-specific extension for entering DomainControllers.

OID = 1.3.6.1.4.1.311.20.2

This is a Microsoft specific extension needed for smartcard login.

  • Machine-  For a machine
  • SmartCardLogon -  For a user (logon)
  • SmartCardUser - For a user (logon and email)
nsCert TypeSpecifies a Netscape certificate type.
  • client
  • server
  • email
  • objsign
  • sslCA
  • emailCA
  • objCA
nsCommentEnables you to enter comments.OID = 2.16.840.1.113730.1.13Just an extension to provide a possibility for a comment. This is an old Netscape extension.