Certificate Authority Decisions172 Netscape Certificate Management System Installation and Setup Guide • March 2002your root certificate into all the browsers used with the certificates you issue. If youare using Netscape Communicator as your client, you can accomplish this taskwithin an intranet by using tools such as Mission Control Desktop or with the aidof Personal Security Manager, but extranet deployments can be more complicated.CAs and Certificate ExtensionsAn X.509 v3 certificate contains an extensions field that permits any number ofadditional fields to be added to the certificate. Certificate extensions provide a wayof adding information such as alternative subject names, policy information, andusage restrictions to certificates. The X.509 v3 standard defines a number ofextensions for various purposes. Certificate Management System provides policymodules that you can use to set many of the standard extensions in the certificatesthe server issues.Before the X.509 v3 standard was finalized, Netscape and other companies had toaddress certain issues, such as usage restrictions, with their own extensiondefinitions. Therefore, to maintain compatibility with older versions of browsersthat were released before the X.509 v3 specification was finalized, certain kinds ofcertificates should include some of the Netscape extensions. CertificateManagement System provides policy modules that you can use to implementessential Netscape extensions.The Internet Engineering Task Force (IETF), which controls many of the standardsthat underlie the Internet, is currently developing public-key infrastructure X.509(PKIX) standards. These proposed standards further refine the X.509 v3 approachto extensions for use on the Internet. PKIX working group recommendationsshould also be taken into account when planning extensions for CA certificates,subordinate CA certificates, and end-entity certificates.For more detailed information about extensions and recommendations for specifictypes of certificates, see Appendix C, “Certificate and CRL Extensions” of CMSPlug-Ins Guide.CA Certificate Renewal or ReissuanceWhen a CA signing certificate expires, all certificates signed with the CA’scorresponding signing key become invalid. End entities use information in the CAcertificate to verify the certificate’s authenticity. If the CA certificate itself hasexpired, applications cannot chain the certificate to a trusted CA.There are two ways of dealing with CA certificate expiration: