Skip to content

Bring profiles into the modern day #307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Bring profiles into the modern day #307

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
be0fc31
Bring profiles into the modern day
aarongable Oct 15, 2025
9787631
Review comments
aarongable Nov 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
157 changes: 109 additions & 48 deletions CP-CPS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -988,54 +988,115 @@ See [Section 5.5.5](#555-requirements-for-time-stamping-of-records).

## 7.1 Certificate profile

All fields are as specified in RFC 5280 and the Baseline Requirements, including fields and extensions not specifically mentioned.

### Root CA Certificate

| Field or extension | Value |
| ------------------------------ | ------------------------------------------------------------------------|
| Serial Number | Unique, with 64 bits of output from a CSPRNG |
| Issuer Distinguished Name | C=US, O=Internet Security Research Group or O=ISRG, and a meaningful CN |
| Subject Distinguished Name | Same as Issuer DN |
| Validity Period | Up to 25 years |
| Basic Constraints | cA=True, pathLength constraint absent (critical) |
| Subject Public Key | See Sections 6.1.5, 6.1.6, and 7.1.3.1 |
| Key Usage | keyCertSign, cRLSign (critical) |

### Subordinate CA Certificate

| Field or extension | Value |
| ------------------------------ | ----------------------------------------------------------------------------- |
| Serial Number | Unique, with 64 bits of output from a CSPRNG |
| Issuer Distinguished Name | Derived from Issuer certificate |
| Subject Distinguished Name | C=US, O=Let's Encrypt, and a meaningful CN |
| Validity Period | Up to 8 years |
| Basic Constraints | cA=True, pathLength constraint 0 (critical) |
| Key Usage | keyCertSign, cRLSign, digitalSignature (critical) |
| Extended Key Usage | TLS Server Authentication and optionally TLS Client Authentication |
| Certificate Policies | CAB Forum Domain Validated (2.23.140.1.2.1) |
| Authority Information Access | Contains CA Issuers URL and optionally an OCSP URL; URLs vary based on Issuer |
| Subject Public Key | See Sections 6.1.5, 6.1.6, and 7.1.3.1 |
| CRL Distribution Points | Contains a CRL URL; URL varies based on Issuer |

### DV-SSL Subscriber Certificate

| Field or extension | Value |
| --------------------------------- | --------------------------------------------------------------------------------- |
| Serial Number | Unique, with 64 bits of output from a CSPRNG |
| Issuer Distinguished Name | Derived from Issuer certificate |
| Subject Distinguished Name | CN=none, or one of the values from the Subject Alternative Name extension |
| Validity Period | Up to 100 days |
| Basic Constraints | cA=False (critical) |
| Key Usage | digitalSignature, and optionally keyEncipherment (critical) |
| Extended Key Usage | TLS Server Authentication and optionally TLS Client Authentication |
| Certificate Policies | CAB Forum Domain Validated (2.23.140.1.2.1) |
| Authority Information Access | Contains CA Issuers URL and optionally an OCSP URL; URLs vary based on Issuer |
| Subject Public Key | See Sections 6.1.5, 6.1.6, and 7.1.3.1 |
| Subject Alternative Name | A sequence of 1 to 100 dNSNames or ipAddresses (critical if no CN) |
| Precertificate poison | Per RFC 6962 (precertificates only, critical) |
| Signed Certificate Timestamp List | Per RFC 6962 (final certificates only) |
| CRL Distribution Point | If present, contains a URI to the CRL shard whose scope includes this certificate |
All certificates issued by ISRG are issued in accordance with exactly one of the following profiles.

### Root CA Certificate Profile

| **Field** | **Description** |
| ---- | ------ |
| `tbsCertificate` | |
|     `version` | See [Section 7.1.1](#711-version-numbers) |
|     `serialNumber` | Approximately 128 bits, including at least 64 bits of output from a CSPRNG |
|     `signature` | See [Section 7.1.3.2](#7132-signature-algorithmidentifier) |
|     `issuer` | Byte-for-byte identical to the `subject` field |
|     `validity` | At most 9132 days |
|     `subject` | C=US, O=ISRG, and a unique CN |
|     `subjectPublicKeyInfo` | See Sections [6.1.5](#615-key-sizes), [6.1.6](#616-public-key-parameters-generation-and-quality-checking), and [7.1.3.1](#7131-subjectpublickeyinfo) |
|     `issuerUniqueID` | Not present |
|     `subjectUniqueID` | Not present |
|     `extensions` | |
|         `basicConstraints` | Critical, with `cA` set to true |
|         `keyUsage` | Critical, with the `keyCertSign` (5) and `cRLSign` (6) bits set |
|         `subjectKeyIdentifier` | Contains a truncated hash of the `subjectPublicKey`, per Section 2(1) of RFC 7093 |
|         Any other extension | Not present |
| `signatureAlgorithm` | Byte-for-byte identical to the `tbsCertificate.signature` |
| `signatureValue` | A signature appropriate to the `signatureAlgorithm` field |

### Cross-Certified Subordinate CA Certificate Profile

| **Field** | **Description** |
| ---- | ------ |
| `tbsCertificate` | |
|     `version` | See [Section 7.1.1](#711-version-numbers) |
|     `serialNumber` | Approximately 128 bits, including at least 64 bits of output from a CSPRNG |
|     `signature` | See [Section 7.1.3.2](#7132-signature-algorithmidentifier) |
|     `issuer` | Byte-for-byte identical to the `subject` field of the Issuing CA |
|     `validity` | At most 8 years |
|     `subject` | Byte-for-byte identical to the `subject` field of the existing CA Certificate |
|     `subjectPublicKeyInfo` | See Sections [6.1.5](#615-key-sizes), [6.1.6](#616-public-key-parameters-generation-and-quality-checking), and [7.1.3.1](#7131-subjectpublickeyinfo) |
|     `issuerUniqueID` | Not present |
|     `subjectUniqueID` | Not present |
|     `extensions` | |
|         `authorityInformationAccess` | Contains the HTTP URI of the Issuing CA's Certificate |
|         `authorityKeyIdentifier` | Byte-for-byte identical to the `subjectKeyIdentifier` of the Issuing CA |
|         `basicConstraints` | Critical, with `cA` set to true |
|         `certificatePolicies` | Contains the Baseline Requirements Domain Validated Reserved Policy Identifier (OID 2.23.140.1.2.1) |
|         `crlDistributionPoints` | Contains the HTTP URI of a CRL issued by the Issuing CA |
|         `keyUsage` | Critical, with the `keyCertSign` (5) and `cRLSign` (6) bits set |
|         `subjectKeyIdentifier` | Byte-for-byte identical to the `subjectKeyIdentifier` of the existing CA Certificate |
|         Any other extension | Not present |
| `signatureAlgorithm` | Byte-for-byte identical to the `tbsCertificate.signature` |
| `signatureValue` | A signature appropriate to the `signatureAlgorithm` field |

### TLS Subordinate CA Certificate Profile

| **Field** | **Description** |
| ---- | ------ |
| `tbsCertificate` | |
|     `version` | See [Section 7.1.1](#711-version-numbers) |
|     `serialNumber` | Approximately 128 bits, including at least 64 bits of output from a CSPRNG |
|     `signature` | See [Section 7.1.3.2](#7132-signature-algorithmidentifier) |
|     `issuer` | Byte-for-byte identical to the `subject` field of the Issuing CA |
|     `validity` | At most 8 years |
|     `subject` | C=US, O=Let's Encrypt, and a unique CN |
|     `subjectPublicKeyInfo` | See Sections [6.1.5](#615-key-sizes), [6.1.6](#616-public-key-parameters-generation-and-quality-checking), and [7.1.3.1](#7131-subjectpublickeyinfo) |
|     `issuerUniqueID` | Not present |
|     `subjectUniqueID` | Not present |
|     `extensions` | |
|         `authorityInformationAccess` | Contains the HTTP URI of the Issuing CA's Certificate |
|         `authorityKeyIdentifier` | Byte-for-byte identical to the `subjectKeyIdentifier` of the Issuing CA |
|         `basicConstraints` | Critical, with `cA` set to true and `pathLenConstraint` set to 0 |
|         `certificatePolicies` | Contains the Baseline Requirements Domain Validated Reserved Policy Identifier (OID 2.23.140.1.2.1) |
|         `crlDistributionPoints` | Contains the HTTP URI of a CRL issued by the Issuing CA |
|         `extKeyUsage` | Contains `id-kp-serverAuth` (OID 1.3.6.1.5.5.7.3.1) |
|         `keyUsage` | Critical, with the `digitalSignature` (0), `keyCertSign` (5), and `cRLSign` (6) bits set |
|         `subjectKeyIdentifier` | Contains a truncated hash of the `subjectPublicKey`, per Section 2(1) of RFC 7093 |
|         Any other extension | Not present |
| `signatureAlgorithm` | Byte-for-byte identical to the `tbsCertificate.signature` |
| `signatureValue` | A signature appropriate to the `signatureAlgorithm` field |

### Subscriber (Server) Certificate Profile

| **Field** | **Description** |
| ---- | ------ |
| `tbsCertificate` | |
|     `version` | See [Section 7.1.1](#711-version-numbers) |
|     `serialNumber` | Approximately 144 bits, including at least 64 bits of output from a CSPRNG |
|     `signature` | See [Section 7.1.3.2](#7132-signature-algorithmidentifier) |
|     `issuer` | Byte-for-byte identical to the `subject` field of the Issuing CA |
|     `validity` | At most 100 days |
|     `subject` | CN omitted, or optionally contains one of the values from the Subject Alternative Name extension |
|     `subjectPublicKeyInfo` | See Sections [6.1.5](#615-key-sizes), [6.1.6](#616-public-key-parameters-generation-and-quality-checking), and [7.1.3.1](#7131-subjectpublickeyinfo) |
|     `issuerUniqueID` | Not present |
|     `subjectUniqueID` | Not present |
|     `extensions` | |
|         `authorityInformationAccess` | Contains the HTTP URI of the Issuing CA's Certificate |
|         `authorityKeyIdentifier` | Byte-for-byte identical to the `subjectKeyIdentifier` of the Issuing CA |
|         `basicConstraints` | Critical, with `cA` set to false |
|         `certificatePolicies` | Contains the Baseline Requirements Domain Validated Reserved Policy Identifier (OID 2.23.140.1.2.1) |
|         `crlDistributionPoints` | Contains the HTTP URI of a CRL issued by the Issuing CA |
|         `extKeyUsage` | Contains `id-kp-serverAuth` (OID 1.3.6.1.5.5.7.3.1), and optionally `id-kp-clientAuth` (OID 1.3.6.1.5.5.7.3.2) |
|         `keyUsage` | Critical, with the `digitalSignature` (0) bit set, and optionally the `keyEnciperment` (2) bit set |
|         `SignedCertificateTimestampList` | Contains at least two SCTs from logs run by different operators |
|         `subjectAltName` | A sequence of 1 to 100 names of type `dNSName` or `ipAddress` (critical if CN omitted) |
|         `subjectKeyIdentifier` | Optionally contains a truncated hash of the `subjectPublicKey`, per Section 2(1) of RFC 7093 |
|         Any other extension | Not present |
| `signatureAlgorithm` | Byte-for-byte identical to the `tbsCertificate.signature` |
| `signatureValue` | A signature appropriate to the `signatureAlgorithm` field |

### Precertificate Profile

Identical to the Subscriber (Server) Certificate Profile, except that the `SignedCertificateTimestampList` extension is omitted, and a critical "CT poison" extension (OID 1.3.6.1.4.1.11129.2.4.3) is included. ISRG Precertificates are issued directly by the Issuing CA, not by a delegated Precertificate Signing CA.

### 7.1.1 Version number(s)

Expand Down
Loading