×

Orchestrate your PKI infrastructure and streamline security for your public key certificates.

Learn More


    Introduction to Certificate Extension - Basic Constraints

    Blog Post - Introduction to Certificate Extension - Basic Constraints
    16 Jan 2021

    Certificate Extensions – Basic Constraints

    Read time: 5 min

    Certificate extensions are an integral part of the certificate structure as per X.509 standard for public key certificates. This structure is expressed in a formal language called Abstract Syntax Notation One (ASN.1).

    There are a number of certificate extensions in the structure of a certificate. In this article, we will discuss the Basic Constraints certificate extensions. The details corresponding to Basic Constraints can be found in the following RFC:
    www.tools.ietf.org/html/rfc5280#section-4.2.1.9

    The Basic Constraints certificate extension has the following ASN.1 structure as per the RFC standard:

    id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 }

       BasicConstraints ::= SEQUENCE {

            cA                      BOOLEAN DEFAULT FALSE,

            pathLenConstraint       INTEGER (0..MAX) OPTIONAL }

    The X.500 was the first version where it was not possible to identify the certificate subject/holder in the structure. Later came, X.509 standard structure which was improved to identify the subject. The following fields can be found in the Basic Constraints structure:
    1. Subject Type
    2. Path Length
    Subject type denotes the holder of the certificate and it can be of two types:
    1. CA Certificate

      The holder of this certificate is a CA

    2. End Entity

      The holder of this certificate is an End Entity like domain/organization etc.

    Path Length (although an optional field) denotes how many CA’s there are under a CA. For example, a CA with a Path length constraint of 0 cannot have any subordinate CAs which can issue certificates to other end entities.

    Let’s discuss Subject types as CA Certificates.

    CA certificates are used for the following purposes:
    1. To sign certificates used in HTTPS and CRLs
    2. To validate/authenticate the signatures on issued certificates
    Basic Constraints for a CA certificate can be found in the following way
    1. Open any SSL/TLS based url in the browser
    2. Click on the “Pad lock” icon
    3. Click on “Certificate”
    4. Click on “Details”
    5. Select “Basic Constraints”
    Subject Type as CA - Introduction to Certificate Extension - Basic Constraints
    From the above CA screen shot, we can clearly see that the Subject type is given as “CA” and there is no defined path length for the certificate. This means that the certificate holder is the CA and unlimited certificates are allowed in the certificate chain under this CA.
    The “certificate chain” for a certificate can be found in the following way:
    1. Open any SSL/TLS based url in the browser
    2. Click on the “Pad lock” icon
    3. Click on “Certificate”
    4. Click on “Certification Path”
    Certification Path - Introduction to Certificate Extension - Basic Constraints
    From the certification chain in the screen shot, it is clear that there are 3 certificates in the chain. The first two certificates are CA certificates and the third certificate is the end entity certificate, as CA certificates are those at the top of the order and the last certificate in the chain belongs to an end entity.

    Let’s discuss Subject types as End Entity Certificates

    End entity certificates are used to authenticate end entities (user, device, domain etc.) to clients including: TLS, S/MIME, and encryption certificates. The End Entity certificates can be found in the following way:
    1. Open any SSL/TLS based url in the browser
    2. Click on the “Pad lock” icon
    3. Click on “Certificate”
    4. 4.Click on “Details”
    Subject Type as End Entity - Introduction to Certificate Extension - Basic Constraints
    In the screen shot, we can observe that the “Subject Type” field is “End Entity” and the path length field “None” implies that this certificate cannot be used to issue/sign other certificates. Also, if Basic Constraint is not included in the certificate structure, the certificate is, by default, meant to be an End Entity certificate.

    Let’s discuss Path Length with the below image

    Path Length of Basic Constraints
    In the above certificate chain diagram, the first certificate specifies a path length constraint 2 which means there could be a maximum of 2 CA certificates under this certificate, other than the end entity certificate.
    Next in the hierarchy, the second certificate specifies the path length constraint 1. This condition also holds true because there is only one CA certificate under this certificate.
    The third certificate in the list specifies the path length constraint 0. This condition holds true as there is no CA certificate under this certificate.
    The path length constraint restriction is not applicable to the final certificate, as it is an end entity certificate.

    Conclusion

    The Basic Constraint certificate extension is critical in restricting any End Entity certificate to issue/sign any other certificates, as this is a violation of the Basic Constraints certificate extension. Only certificates issued with “Subject Type” as “CA” and with the “Path Length” attribute would be able to issue/sign other certificates.
    build your own customized PKI infrastructure.

    Want to learn from PKI Experts

    We train some of the biggest names in the industry through virtual & Live Classes

    Get a Free Quote for your PKI services

    Free Downloads for PKI services