RFC compliance - Amazon Private Certificate Authority
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

RFC compliance

Amazon Private CA does not enforce certain constraints defined in RFC 5280. The reverse situation is also true: Certain additional constraints appropriate to a private CA are enforced.

Enforced

  • Not After date. In conformity with RFC 5280, Amazon Private CA prevents the issuance of certificates bearing a Not After date later than the Not After date of the issuing CA's certificate.

  • Basic constraints. Amazon Private CA enforces basic constraints and path length in imported CA certificates.

    Basic constraints indicate whether or not the resource identified by the certificate is a CA and can issue certificates. CA certificates imported to Amazon Private CA must include the basic constraints extension, and the extension must be marked critical. In addition to the critical flag, CA=true must be set. Amazon Private CA enforces basic constraints by failing with a validation exception for the following reasons:

    • The extension is not included in the CA certificate.

    • The extension is not marked critical.

    Path length (pathLenConstraint) determines how many subordinate CAs may exist downstream from the imported CA certificate. Amazon Private CA enforces path length by failing with a validation exception for the following reasons:

    • Importing a CA certificate would violate the path length constraint in the CA certificate or in any CA certificate in the chain.

    • Issuing a certificate would violate a path length constraint.

  • Name constraints indicate a name space within which all subject names in subsequent certificates in a certification path must be located. Restrictions apply to the subject distinguished name and subject alternative names.

Not enforced

  • Certificate policies. Certificate policies regulate the conditions under which a CA issue certificates.

  • Inhibit anyPolicy. Used in certificates issued to CAs.

  • Issuer Alternative Name. Allows additional identities to be associated with the issuer of the CA certificate.

  • Policy Constraints. These constraints limit a CA's capacity to issue subordinate CA certificates.

  • Policy Mappings. Used in CA certificates. Lists one or more pairs of OIDs; each pair includes an issuerDomainPolicy and a subjectDomainPolicy.

  • Subject Directory Attributes. Used to convey identification attributes of the subject.

  • Subject Information Access. How to access information and services for the subject of the certificate in which the extension appears.

  • Subject Key Identifier (SKI) and Authority Key Identifier (AKI). The RFC requires a CA certificate to contain the SKI extension. Certificates issued by the CA must contain an AKI extension matching the CA certificate's SKI. Amazon does not enforce these requirements. If your CA Certificate does not contain an SKI, the issued end-entity or subordinate CA certificate AKI will be the SHA-1 hash of the issuer public key instead.

  • SubjectPublicKeyInfo and Subject Alternative Name (SAN). When issuing a certificate, Amazon Private CA copies the SubjectPublicKeyInfo and SAN extensions from the provided CSR without performing validation.