000024072 - What is the difference between a critical and non-critical extension?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024072
Applies ToKeon Certificate Authority
RSA Certificate Manager
IssueWhat is the difference between a critical and non-critical extension?
Not sure if Critical or non-critical should be selected when issuing a certificate
ResolutionCertificate extensions are used by the user of a certificate. For example, with a web server SSL certificate, the user of the certificate is the browser accessing the SSL web site, so Internet Explorer, Firefox, Opera, etc.

According to the X.509 standard, the user of a certificate should reject the certificate if an extension is flagged as critical and is not recognized. If the extension is flagged as non-critical and is aslo not recognized, the application may decide to accept the certificate anyway.

As an example, most browsers will recognize major extensions like KeyUsage, so it is a good practice to leave this extension as critical.
Legacy Article IDa38418

Attachments

    Outcomes