Supported Extensions
Below are a list of the extensions supported by AutoCSR:
OCSPNoCheck
Example
# ocsp_no_check_example.yaml
OCSPNoCheckExtension:
subject:
common_name: OCSPNoCheck Example
key_info:
key_path: /tmp/ocsp_no_check_example.key
create: True
output_path: /tmp/ocsp_no_check_autocsr.csr
extensions:
- critical: True
extension_type: OCSPNoCheck
Protobuf Definition
enum ExtensionType {
OCSPNoCheck = 0;
PrecertPoison = 1;
}
ExtensionType extension_type = 2;
PrecertPoison
Example
# precert_poison_example.yaml
PrecertPoisonExtension:
subject:
common_name: PrecertPoison Example
key_info:
key_path: /tmp/precert_poison_example.key
create: True
output_path: /tmp/precert_poison_autocsr.csr
extensions:
- critical: True
extension_type: PrecertPoison
Protobuf Definition
enum ExtensionType {
OCSPNoCheck = 0;
PrecertPoison = 1;
}
ExtensionType extension_type = 2;
SubjectKeyIdentifier
Example
# subject_key_identifier_example.yaml
SubjectKeyIdentifierExtension:
subject:
common_name: SubjectKeyIdentifier Example
key_info:
key_path: /tmp/subject_key_identifier_example.key
create: True
output_path: /tmp/subject_key_identifier_autocsr.csr
extensions:
- critical: True
subject_key_identifier:
b64_digest: "dGVzdA==" # Base64 of "test"
Protobuf Definition
message SubjectKeyIdentifier {
string b64_digest = 1;
}
SubjectKeyIdentifier subject_key_identifier = 4;
BasicConstraints
Example
# basic_constraints_example.yaml
BasicConstraintsExtension:
subject:
common_name: BasicConstraints Example
key_info:
key_path: /tmp/basic_constraints_example.key
create: True
output_path: /tmp/basic_constraints_autocsr.csr
extensions:
- critical: True
basic_constraints:
ca: True
path_length: 101
Protobuf Definition
message BasicConstraints {
bool ca = 1;
optional int32 path_length = 2;
}
BasicConstraints basic_constraints = 5;
PolicyConstraints
Example
# policy_constraints_example.yaml
PolicyConstraintsExtension:
subject:
common_name: PolicyConstraints Example
key_info:
key_path: /tmp/policy_constraints_example.key
create: True
output_path: /tmp/policy_constraints_autocsr.csr
extensions:
- critical: True
policy_constraints:
require_explicit_policy: 102
Protobuf Definition
message PolicyConstraints {
optional int32 require_explicit_policy = 1;
optional int32 inhibit_policy_mapping = 2;
}
PolicyConstraints policy_constraints = 7;
CertificatePolicies
Example
# certificate_policies.yaml
CertificatePoliciesExtension:
subject:
common_name: CertificatePolicies Example
key_info:
key_path: /tmp/certificate_policies_example.key
create: True
output_path: /tmp/certificate_policies_autocsr.csr
extensions:
- critical: True
certificate_policies:
policies:
- policy_identifier: "1.2.3.4"
string_qualifiers:
- "test qualifier 1"
- "test qualifier 2"
user_qualifiers:
- notice_reference:
organization: "test_org"
notice_numbers:
- 1
- 2
- 3
explicit_text: "hello, test"
Protobuf Definition
message NoticeReference {
optional string organization = 1;
repeated int32 notice_numbers = 2;
}
message UserNotice {
optional NoticeReference notice_reference = 1;
optional string explicit_text = 2;
}
message PolicyInformation {
string policy_identifier = 1;
repeated string string_qualifiers = 2;
repeated UserNotice user_qualifiers = 3;
}
message CertificatePolicies {
repeated PolicyInformation policies = 1;
}
CertificatePolicies certificate_policies = 8;
Extended Key Usage
Example
# extended_key_usage_example.yaml
ExtendedKeyUsageExtension:
subject:
common_name: ExtendedKeyUsage Example
key_info:
key_path: /tmp/extended_key_usage_example.key
create: True
output_path: /tmp/extended_key_usage_autocsr.csr
extensions:
- critical: True
extended_key_usage:
usages:
- "1.2.3.4.5"
- "2.4.3.2.111"
- "serverAuth"
Protobuf Definition
message ExtendedKeyUsage {
repeated string usages = 1;
}
ExtendedKeyUsage extended_key_usage = 9;
TLSFeature
Example
# tls_feature_example.yaml
TLSFeatureExtension:
subject:
common_name: TLSFeature Example
key_info:
key_path: /tmp/tls_feature_example.key
create: True
output_path: /tmp/tls_feature_autocsr.csr
extensions:
- critical: True
tls_feature:
features:
- "status_request"
- "status_request_v2"
Protobuf Definition
enum TLSFeatureType {
unused = 0;
status_request = 5;
status_request_v2 = 17;
}
message TLSFeature {
repeated TLSFeatureType features = 1;
}
TLSFeature tls_feature = 10;
InhibitAnyPolicy
Example
# inhibit_any_policy_example.yaml
InhibitAnyPolicyExtension:
subject:
common_name: InhibitAnyPolicy Example
key_info:
key_path: /tmp/inhibit_any_policy_example.key
create: True
output_path: /tmp/inhibit_any_policy_autocsr.csr
extensions:
- critical: True
inhibit_any_policy:
skip_certs: 103
Protobuf Definition
message InhibitAnyPolicy {
int32 skip_certs = 1;
}
InhibitAnyPolicy inhibit_any_policy = 11;
KeyUsage
Example
# key_usage_example.yaml
KeyUsageExtension:
subject:
common_name: KeyUsage Example
key_info:
key_path: /tmp/key_usage_example.key
create: True
output_path: /tmp/key_usage_autocsr.csr
extensions:
- critical: True
key_usage:
digital_signature: True
content_commitment: False
key_encipherment: True
data_encipherment: False
key_agreement: True
key_cert_sign: False
crl_sign: True
encipher_only: False
decipher_only: True
Protobuf Definition
message KeyUsage {
bool digital_signature = 1;
bool content_commitment = 2;
bool key_encipherment = 3;
bool data_encipherment = 4;
bool key_agreement = 5;
bool key_cert_sign = 6;
bool crl_sign = 7;
bool encipher_only = 8;
bool decipher_only = 9;
}
KeyUsage key_usage = 12;
SubjectInformationAccess
Example
# subject_information_access_example.yaml
SubjectInformationAccessExtension:
subject:
common_name: SubjectInformationAccess Example
key_info:
key_path: /tmp/subject_information_access_example.key
create: True
output_path: /tmp/subject_information_access_autocsr.csr
extensions:
- critical: True
subject_information_access:
descriptions:
- access_method: "1.9.5.6"
access_location:
ip_address:
value: "11.22.33.44"
Protobuf Definition
message NameAttribute {
string oid = 1;
string value = 2;
}
message Name {
repeated NameAttribute attributes = 1;
}
message RFC822Name {
string value = 1;
}
message DNSName {
string value = 1;
}
message UniformResourceIdentifier {
string value = 1;
}
message DirectoryName {
Name value = 1;
}
message RegisteredID {
string oid = 1;
}
message IPAddress {
string value = 1;
}
message OtherName {
string oid = 1;
string b64_value = 2;
}
message GeneralName {
oneof name {
RFC822Name rfc_822_name = 1;
DNSName dns_name = 2;
UniformResourceIdentifier uniform_resource_identifier = 3;
DirectoryName directory_name = 4;
RegisteredID registered_id = 5;
IPAddress ip_address = 6;
OtherName other_name = 7;
}
}
message AccessDescription {
string access_method = 1;
GeneralName access_location = 2;
}
message SubjectInformationAccess {
repeated AccessDescription descriptions = 1;
}
SubjectInformationAccess subject_information_access = 20;
CRLDistributionPoints
Example
# crl_distribution_points_example.yaml
CRLDistributionPointsExtension:
subject:
common_name: CRLDistributionPoints Example
key_info:
key_path: /tmp/crl_distribution_points_example.key
create: True
output_path: /tmp/crl_distribution_points_autocsr.csr
extensions:
- critical: True
crl_distribution_points:
distribution_points:
- relative_name:
attributes:
- oid: "1.8.8.8"
value: "relative_name"
reasons:
- "superseded"
- "ca_compromise"
crl_issuer:
- dns_name:
value: "crl_issuer"
Protobuf Definition
message NameAttribute {
string oid = 1;
string value = 2;
}
message Name {
repeated NameAttribute attributes = 1;
}
message RFC822Name {
string value = 1;
}
message DNSName {
string value = 1;
}
message UniformResourceIdentifier {
string value = 1;
}
message DirectoryName {
Name value = 1;
}
message RegisteredID {
string oid = 1;
}
message IPAddress {
string value = 1;
}
message OtherName {
string oid = 1;
string b64_value = 2;
}
message GeneralName {
oneof name {
RFC822Name rfc_822_name = 1;
DNSName dns_name = 2;
UniformResourceIdentifier uniform_resource_identifier = 3;
DirectoryName directory_name = 4;
RegisteredID registered_id = 5;
IPAddress ip_address = 6;
OtherName other_name = 7;
}
}
enum ReasonFlags {
unspecified = 0;
key_compromise = 1;
ca_compromise = 2;
affiliation_changed = 3;
superseded = 4;
cessation_of_operation = 5;
certificate_hold = 6;
privilege_withdrawn = 7;
aa_compromise = 8;
remove_from_crl = 9;
}
message DistributionPoint {
repeated GeneralName full_name = 1;
optional Name relative_name = 2;
repeated ReasonFlags reasons = 3;
repeated GeneralName crl_issuer = 4;
}
message CRLDistributionPoints {
repeated DistributionPoint distribution_points = 1;
}
CRLDistributionPoints crl_distribution_points = 21;
FreshestCRL
Example
# freshest_crl_example.yaml
FreshestCRLExtension:
subject:
common_name: FreshestCRL Example
key_info:
key_path: /tmp/freshest_crl_example.key
create: True
output_path: /tmp/freshest_crl_autocsr.csr
extensions:
- critical: True
freshest_crl:
distribution_points:
- relative_name:
attributes:
- oid: "1.8.8.8"
value: "relative_name"
reasons:
- "superseded"
- "ca_compromise"
crl_issuer:
- dns_name:
value: "crl_issuer"
Protobuf Definition
message NameAttribute {
string oid = 1;
string value = 2;
}
message Name {
repeated NameAttribute attributes = 1;
}
message RFC822Name {
string value = 1;
}
message DNSName {
string value = 1;
}
message UniformResourceIdentifier {
string value = 1;
}
message DirectoryName {
Name value = 1;
}
message RegisteredID {
string oid = 1;
}
message IPAddress {
string value = 1;
}
message OtherName {
string oid = 1;
string b64_value = 2;
}
message GeneralName {
oneof name {
RFC822Name rfc_822_name = 1;
DNSName dns_name = 2;
UniformResourceIdentifier uniform_resource_identifier = 3;
DirectoryName directory_name = 4;
RegisteredID registered_id = 5;
IPAddress ip_address = 6;
OtherName other_name = 7;
}
}
enum ReasonFlags {
unspecified = 0;
key_compromise = 1;
ca_compromise = 2;
affiliation_changed = 3;
superseded = 4;
cessation_of_operation = 5;
certificate_hold = 6;
privilege_withdrawn = 7;
aa_compromise = 8;
remove_from_crl = 9;
}
message DistributionPoint {
repeated GeneralName full_name = 1;
optional Name relative_name = 2;
repeated ReasonFlags reasons = 3;
repeated GeneralName crl_issuer = 4;
}
message FreshestCRL {
repeated DistributionPoint distribution_points = 1;
}
FreshestCRL freshest_crl = 22;
NameConstraints
Example
# name_constraints_example.yaml
NameConstraintsExtension:
subject:
common_name: NameConstraints Example
key_info:
key_path: /tmp/name_constraints_example.key
create: True
output_path: /tmp/name_constraints_autocsr.csr
extensions:
- critical: True
name_constraints:
permitted_subtrees:
- dns_name:
value: "permitted_subtrees"
excluded_subtrees:
- dns_name:
value: "excluded_subtrees"
- dns_name:
value: "other excluded_subtrees"
Protobuf Definition
message NameAttribute {
string oid = 1;
string value = 2;
}
message Name {
repeated NameAttribute attributes = 1;
}
message RFC822Name {
string value = 1;
}
message DNSName {
string value = 1;
}
message UniformResourceIdentifier {
string value = 1;
}
message DirectoryName {
Name value = 1;
}
message RegisteredID {
string oid = 1;
}
message IPAddress {
string value = 1;
}
message OtherName {
string oid = 1;
string b64_value = 2;
}
message GeneralName {
oneof name {
RFC822Name rfc_822_name = 1;
DNSName dns_name = 2;
UniformResourceIdentifier uniform_resource_identifier = 3;
DirectoryName directory_name = 4;
RegisteredID registered_id = 5;
IPAddress ip_address = 6;
OtherName other_name = 7;
}
}
message NameConstraints {
repeated GeneralName permitted_subtrees = 1;
repeated GeneralName excluded_subtrees = 2;
}
NameConstraints name_constraints = 23;
SubjectAlternativeName
Example
# subject_alternative_name_example.yaml
SubjectAlternativeNameExtension:
subject:
common_name: SubjectAlternativeName Example
key_info:
key_path: /tmp/subject_alternative_name_example.key
create: True
output_path: /tmp/subject_alternative_name_autocsr.csr
extensions:
- critical: True
subject_alternative_name:
general_names:
- dns_name:
value: "first alternative name"
- dns_name:
value: "second alternative name"
Protobuf Definition
message NameAttribute {
string oid = 1;
string value = 2;
}
message Name {
repeated NameAttribute attributes = 1;
}
message RFC822Name {
string value = 1;
}
message DNSName {
string value = 1;
}
message UniformResourceIdentifier {
string value = 1;
}
message DirectoryName {
Name value = 1;
}
message RegisteredID {
string oid = 1;
}
message IPAddress {
string value = 1;
}
message OtherName {
string oid = 1;
string b64_value = 2;
}
message GeneralName {
oneof name {
RFC822Name rfc_822_name = 1;
DNSName dns_name = 2;
UniformResourceIdentifier uniform_resource_identifier = 3;
DirectoryName directory_name = 4;
RegisteredID registered_id = 5;
IPAddress ip_address = 6;
OtherName other_name = 7;
}
}
message SubjectAlternativeName {
repeated GeneralName general_names = 1;
}
IssuerAlternativeName
Example
# issuer_alternative_name_example.yaml
IssuerAlternativeNameExtension:
subject:
common_name: IssuerAlternativeName Example
key_info:
key_path: /tmp/issuer_alternative_name_example.key
create: True
output_path: /tmp/issuer_alternative_name_autocsr.csr
extensions:
- critical: True
issuer_alternative_name:
general_names:
- dns_name:
value: "first issuer alternative name"
- dns_name:
value: "second issuer alternative name"
Protobuf Definition
message NameAttribute {
string oid = 1;
string value = 2;
}
message Name {
repeated NameAttribute attributes = 1;
}
message RFC822Name {
string value = 1;
}
message DNSName {
string value = 1;
}
message UniformResourceIdentifier {
string value = 1;
}
message DirectoryName {
Name value = 1;
}
message RegisteredID {
string oid = 1;
}
message IPAddress {
string value = 1;
}
message OtherName {
string oid = 1;
string b64_value = 2;
}
message GeneralName {
oneof name {
RFC822Name rfc_822_name = 1;
DNSName dns_name = 2;
UniformResourceIdentifier uniform_resource_identifier = 3;
DirectoryName directory_name = 4;
RegisteredID registered_id = 5;
IPAddress ip_address = 6;
OtherName other_name = 7;
}
}
message IssuerAlternativeName {
repeated GeneralName general_names = 1;
}
IssuerAlternativeName issuer_alternative_name = 25;