Introduction to Certificate Extensions330 Netscape Certificate Management System Plug-Ins Guide • March 2002Structure of Certificate ExtensionsIn RFC 2459, an X.509 certificate extension is defined as follows:Extension ::= SEQUENCE {extnID OBJECT IDENTIFIER,critical BOOLEAN DEFAULT FALSE,extnValue OCTET STRING }Which means, a certificate extension consists of the following:• The object identifier (OID) for the extension; see Appendix B, “ObjectIdentifiers.”This identifier uniquely identifies the extension. It also determines the ASN.1type of value in the value field and how the value is interpreted. That is, whenan extension appears in a certificate, the OID appears as the extension ID field(extnID) and the corresponding ASN.1 encoded structure appears as the valueof the octet string (extnValue); see the examples in “Sample CertificateExtensions” on page 331.• A flag or boolean field called critical.The value, which can be either true or false, assigned to this field indicateswhether the extension is critical or noncritical to the certificate.m If the extension is critical and the certificate is sent to an application thatdoes not understand the extension (based on the extension’s ID), theapplication must reject the certificate.m If the extension is not critical and the certificate is sent to an applicationthat does not understand the extension (based on the extension’s ID), theapplication can ignore the extension and accept the certificate.• An octet string containing the DER encoding of the value of the extension.Typically, the application receiving the certificate checks the extension ID todetermine if it can recognize the ID. If it can, it uses the extension ID todetermine the type of value used.Examples of standard extensions defined in the X.509 v3 standard include thefollowing:• Authority Key Identifier Extension—an extension for identifying the certificateauthority’s public key (the key used to sign the certificate).• Subject Key Identifier Extension—an extension for identifying the subject’spublic key (the key being certified).