Compatibility of algorithms and CA properties
Algorithms
The current version of the PKI supports the following algorithms:
-
RSASSA-PKCS v1.5 and ECDSA with Prime256-V1 for the Certificate Signing Request (CSR),
-
RSASSA-PKCS v1.5 for signing the issued certificate with the CA private key. This is the OpenSSL standard RSA algorithm.
Algorithms CSR CA RSA (RSASSA-PKCS-v1.5) Supported Supported EC (ECDSA with Prime256-V1) Supported Not supported Stormshield recommends using 4096-bit RSA keys (at least 2048 bits) to be as secure as possible in this context.
-
RsaWithSha256, RsaWithSha384 and RsaWithSha512 for the hash.
It is specified in the ca.algorithms.hash configuration parameter of the config.json file.
For more information, refer to Configuring PKI.
CA properties
The certification authority of PKI does not support all attributes and extensions. Unsupported ones are ignored. The following sections list the supported properties and their expected behaviors.
Common properties
The second column of the tables contains the Objet Identifier (OID) corresponding to the property.
A Distinguished Name (DN) is the full identity of a certificate or CSR, and is composed of multiple attributes such as Country (C), Locality (L), Common Name (CN), etc.
The following Distinguished Name attributes are supported:
| DN attribute | OID |
|---|---|
| common name | 2.5.4.3 |
| surname | 2.5.4.4 |
| serial name | 2.5.4.5 |
| country name | 2.5.4.6 |
| locality name | 2.5.4.7 |
| state or province name | 2.5.4.8 |
| street address | 2.5.4.9 |
| organization name | 2.5.4.10 |
| organizational unit name | 2.5.4.11 |
| title | 2.5.4.12 |
| business category | 2.5.4.15 |
| postal code | 2.5.4.17 |
| telephone number | 2.5.4.20 |
| name | 2.5.4.41 |
| given name | 2.5.4.42 |
| initials | 2.5.4.43 |
| generation qualifier | 2.5.4.44 |
| unique identifier | 2.5.4.45 |
| distinguished name qualifier | 2.5.4.46 |
| pseudonym | 2.5.4.65 |
| email address | 1.2.840.113549.1.9.1 |
| user id | 0.9.2342.19200300.100.1.1 |
| domain component | 0.9.2342.19200300.100.1.25 |
| DN attribute | OID |
|---|---|
| common name | 2.5.4.3 |
| surname | 2.5.4.4 |
| serial name | 2.5.4.5 |
| country name | 2.5.4.6 |
| locality name | 2.5.4.7 |
| state or province name | 2.5.4.8 |
| street address | 2.5.4.9 |
| organization name | 2.5.4.10 |
| organizational unit name | 2.5.4.11 |
| title | 2.5.4.12 |
| business category | 2.5.4.15 |
| postal code | 2.5.4.17 |
| telephone number | 2.5.4.20 |
| name | 2.5.4.41 |
| given name | 2.5.4.42 |
| initials | 2.5.4.43 |
| generation qualifier | 2.5.4.44 |
| unique identifier | 2.5.4.45 |
| distinguished name qualifier | 2.5.4.46 |
| pseudonym | 2.5.4.65 |
| email address | 1.2.840.113549.1.9.1 |
| user id | 0.9.2342.19200300.100.1.1 |
| domain component | 0.9.2342.19200300.100.1.25 |
The following x509 v3 extensions are supported.
| Extension | OID |
|---|---|
| basic constraints | 2.5.29.19 |
| key usage | 2.5.29.15 |
| extended key usage | 2.5.29.37 |
| subject key identifier | 2.5.29.14 |
| subject alternative name | 2.5.29.17 |
| authority key identifier | 2.5.29.35 |
IMPORTANT
The CA of the PKI does not add its own extensions to the CSR during the certificate issuance process. It only keeps the CSR supported extensions. It is the administrator’s responsability to correctly set the required extensions in the CSR OpenSSL configuration.
The tables below indicate whether an extension sub-category is supported:
| Basic constraints | Supported/Not supported |
|---|---|
| CA: boolean |
Supported. Mandatory with value="true" for root certificates. |
| pathlen: number |
Supported. |
| critical:string |
Supported. Mandatory for root certificates. |
| Key usage | Supported/Not supported |
|---|---|
| decipherOnly | Supported |
| encipherOnly | Supported |
| digitalSignature | Supported |
| nonRepudiation | Supported |
| keyEncipherment | Supported |
| dataEncipherment | Supported |
| keyAgreement | Supported |
| keyCertSign | Supported |
| cRLSign | Supported |
| Extended key usage | Supported/Not supported |
|---|---|
| serverAuth | Supported |
| clientAuth | Supported |
| codeSigning | Not supported |
| emailProtection | Not supported |
| timeStamping | Not supported |
| OCSPSigning | Not supported |
| ipsecIKE | Not supported |
| msCodeInd | Not supported |
| msCodeCom | Not supported |
| msCTLSign | Not supported |
| msEFS | Not supported |
Other CSR-specific properties
Only mTLS-specific subject alternative names are supported. The others are ignored.
| Subject alternative names | Supported/Not supported |
|---|---|
| DNS | Supported |
| IP | Supported |
| Not supported | |
| RID | Not supported |
| dirName | Not supported |
| otherName | Not supported |
| Subject alternative names | Supported/Not supported |
|---|---|
| DNS | Supported |
| IP | Supported |
| Not supported | |
| RID | Not supported |
| dirName | Not supported |
| otherName | Not supported |