|
|
|
@ -126,12 +126,19 @@ The class 3 certificate must contain the following fields:
|
|
|
|
|
- [Extended Key Usage](https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.1.12):
|
|
|
|
|
`server auth, client auth, email protection, code signing, OCSP signing, SmartCard logon, anyExtendedKeyUsage`
|
|
|
|
|
|
|
|
|
|
*Note:* this will not be sufficient to fulfill the
|
|
|
|
|
[Google requirements for S/MIME certificates](https://support.google.com/a/answer/7300887)
|
|
|
|
|
|
|
|
|
|
- [CRL Distribution Points](https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.1.13):
|
|
|
|
|
http://crl.cacert.org/class3-revoke.crl
|
|
|
|
|
|
|
|
|
|
*Note:* CRL URLs must use the http URL scheme
|
|
|
|
|
|
|
|
|
|
- [Authority Information Access](https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.2.1):
|
|
|
|
|
|
|
|
|
|
- CA issuers: https://www.cacert.org/certs/root_X0F.der
|
|
|
|
|
- CA issuers: http://www.cacert.org/certs/root_X0F.der
|
|
|
|
|
|
|
|
|
|
Reference the Root CA certificate's canonical DER URL
|
|
|
|
|
- OCSP: URI:http://ocsp.cacert.org/
|
|
|
|
|
|
|
|
|
|
*Note:* CA issuers and OCSP URLs must use the http URL scheme
|
|
|
|
|