Certificate Attribute Requirements Enforced by Attachmate Applications

  • 7021358
  • 29-Mar-2012
  • 02-Mar-2018

Environment

Extra! X-treme version 9.0 SP1 or higher
Host Access Management and Security Server version 12.3 or higher
InfoConnect Desktop for Unisys
InfoConnect Desktop for Airlines
InfoConnect version 8.1 SP1 or higher
Reflection PKI Services Manager
Reflection Desktop
Reflection 2014
Reflection Desktop for IBM
Reflection for IBM 2014
Reflection for IBM 2011
Reflection for IBM version 14.x
Reflection Desktop for UNIX and OpenVMS
Reflection for UNIX and OpenVMS 2014
Reflection for UNIX and OpenVMS 2011
Reflection for UNIX and OpenVMS version 14.x
Reflection for HP version 14.x
Reflection for Secure IT Windows Client version 7.2 or higher
Reflection for the Web (All Editions) version 12.2 or higher
Reflection for the Web 2014 (All Editions)
Reflection for the Web 2011 (All Editions)
Reflection for the Web 2008 (All Editions) R3
Reflection FTP Client
Reflection ZFE version 2.0 or higher

Situation

The Attachmate applications listed in the Environment section support the use of X.509 certificates for authentication. This technical note provides a detailed list of which certificate fields are checked, and what requirements must be met for a certificate to be accepted as valid.

Resolution

Requirements for All Certificates

The following version 1 fields MUST all contain valid data.

Field
Validation information for this field and its attributes
Version
Version 3 is required for user or server certificates. The version accepted for CA certificates is configurable, but by default version 1 certificates are rejected.
Serial number
Used in combination with Issuer to identify this certificate for revocation checking.
Issuer
Used to build the chain of trust for this certificate.
-and-
Used in combination with Serial number to identify this certificate for revocation checking.

Subject
The CN attribute is used to determine the identity of the entity presenting this certificate. (Note: In some certificates, the Subject Alternate Name extension is used as an alternate method of specifying identity.)
Valid from
Valid to

Used to determine if the certificate is within the valid time period.
Signature algorithm
Signature hash algorithm

Provides information required to decrypt the certificate's signature.
Public key
Used to decrypt the digital signatures from the certificate owner.

Requirements for CA Certificates

Certification Authority (CA) certificates must meet the following version 3 extension requirements in addition to the version 1 requirements listed in Requirements for All Certificates.

Field
Validation information for this field and its attributes
Basic Constraints
MUST be set as a critical extension.
Subject type MUST be set to CA.
Path Length Constraint is not required. If present, it will be used to check the length of the chain.

Key Usage
MUST be present. May be set as a critical extension.
MUST include Certificate signing.
May also include CRL signing, Off-line CRL Signing, Digital Signature. (These attributes may be required if the CA server also issues CRLs or OCSP responses.)

Authority Information Access
Not required.
If present, it can be used to retrieve the issuer certificate and/or determine OCSP responder servers.

CRL Distribution Points
Not required.
If present, it can be used to retrieve CRLs.

Certificate Policies
Not required.
May contain one or more policy OIDs, which, if present, must also be present in the Certificate Policies field of other certificates up and down the chain of trust.

Requirements for SSL, TLS, and FTPS Server Certificates

Certificates used to authenticate SSL, TLS, and FTPS servers must meet the following version 3 extension requirements in addition to the version 1 requirements listed in Requirements for All Certificates.

Field
Validation information for this field and its attributes
Key Usage
May be present, but not required.
If present:
MUST include Digital Signature and Key Encipherment.
May also include Non Repudiation, Data Encipherment and others, but these are ignored.

Extended Key Usage
(Enhanced Key Usage is an equivalent name.)

May be present, but not required.
If present:
MUST include Server authentication.

Authority Information Access
Not required.
If present, it can be used to retrieve the issuer certificate and/or determine OCSP responder servers.

CRL Distribution Points
Not required.
If present, it can be used to retrieve CRLs.

Certificate Policies
Not required.
May contain one or more policy OIDs, which, if present, must also be present in the Certificate Policies field of other certificates up the chain of trust.

Subject Alternative Name
Not required.
May be used to determine alternate names for the server presenting the certificate using either the dNSName or iPAddress attributes.

Requirements for Secure Shell (SSH) and SFTP Server Certificates

Certificates used to authenticate Secure Shell (SSH) and SFTP servers must meet the following version 3 extension requirements in addition to the version 1 requirements listed in Requirements for All Certificates.

Field
Validation information for this field and its attributes
Key Usage
May be present, but not required.
If present:
MUST include Digital Signature and Key Encipherment.
May also include Non Repudiation, Data Encipherment and others, but these are ignored.

Extended Key Usage
(Enhanced Key Usage is an equivalent name.)

May be present, but not required.
If present:
MUST include Server authentication.

Authority Information Access
Not required.
If present, it can be used to retrieve the issuer certificate and/or determine OCSP responder servers.

CRL Distribution Points
Not required.
If present, it can be used to retrieve CRLs.

Certificate Policies
Not required.
May contain one or more policy OIDs, which, if present, must also be present in the Certificate Policies field of other certificates up the chain of trust.

Subject Alternative Name
Not required.
May be used to determine alternate names for the server presenting the certificate using either the dNSName or iPAddress attributes.

Requirements for User Certificates

Certificates used to authenticate client users must meet the following version 3 extension requirements in addition to the version 1 requirements listed in Requirements for All Certificates.

Field
Validation information for this field and its attributes
Key Usage
May be present, but not required.
If present:
MUST include Digital Signature.
May also include Non Repudiation, Data Encipherment and others, but these are ignored.

Extended Key Usage
(Enhanced Key Usage is an equivalent name.)

May be present, but not required.
If present:
MUST include Client authentication.

Authority Information Access
Not required.
If present, it can be used to retrieve the issuer certificate and/or determine OCSP responder servers.

CRL Distribution Points
Not required.
If present, it can be used to retrieve CRLs.

Certificate Policies
Not required.
May contain one or more policy OIDs, which, if present, must also be present in the Certificate Policies field of other certificates up the chain of trust.

Subject Alternative Name
Not required.
May be used to determine alternate names for the user presenting the certificate using the rfc822Name or otherName attributes.

Additional Information

Legacy KB ID

This article was originally published as Attachmate technical note 2619.