This appendix describes the data formats used by Netscape Communicator 4.x for installing certificates. It also describes how certificates are imported into different environments.
The Netscape certificate loader recognizes several binary formats, as follows.
This is a single binary DER-encoded certificate. PKCS #7 certificate chain
This is a single binary DER-encoded certificate.
This is a PKCS #7 SignedData object. The only significant field in the SignedData object is the certificates. In particular, the signature and the contents are ignored. In future versions of the software, the CRLs will also be used. The PKCS #7 format allows multiple certificates to be downloaded at once. See Importing Certificate Chains for more information about handling multiple certificates. Netscape Certificate Sequence
This is a PKCS #7 SignedData object. The only significant field in the SignedData object is the certificates. In particular, the signature and the contents are ignored. In future versions of the software, the CRLs will also be used. The PKCS #7 format allows multiple certificates to be downloaded at once. See Importing Certificate Chains for more information about handling multiple certificates.
This is a simpler format for downloading certificate chains. It consists of a PKCS #7 ContentInfo structure, wrapping a sequence of certificates. The value of the contentType field should be netscape-cert-sequence (see Object Identifiers), while the content field has the following structure: CertificateSequence ::= SEQUENCE OF Certificate
This is a simpler format for downloading certificate chains. It consists of a PKCS #7 ContentInfo structure, wrapping a sequence of certificates. The value of the contentType field should be netscape-cert-sequence (see Object Identifiers), while the content field has the following structure:
CertificateSequence ::= SEQUENCE OF Certificate
This format allows multiple certificates to be downloaded at once. See Importing Certificate Chains for more information about handling multiple certificates.
Any of the above binary formats can also be imported in text form. The text form begins with the following line:
-----BEGIN CERTIFICATE-----
Following this line is the certificate data, which can be in any of the binary formats just described. This data should be base 64 encoded as described by RFC 1113. The data is followed by this line:
-----END CERTIFICATE-----
Subsequent certificates are all treated the same. If the certificates contain the SSL-CA bit in the netscape-cert-type certificate extension and do not already exist in the local certificate database, they are added as untrusted CAs. In this way they can be used for certificate chain validation as long as there is a trusted CA somewhere along the chain.
The certificate being downloaded is a user certificate belonging to the user operating Communicator. If the private key associated with the certificate does not exist in the user's local key database, then Communicator generates an error dialog and the certificate is not imported. If a certificate chain is being imported, then the first certificate in the chain must be the user certificate, and any subsequent certificates will be added as untrusted CA certificates to the local database. application/x-x509-ca-cert
The certificate being downloaded is a user certificate belonging to the user operating Communicator. If the private key associated with the certificate does not exist in the user's local key database, then Communicator generates an error dialog and the certificate is not imported. If a certificate chain is being imported, then the first certificate in the chain must be the user certificate, and any subsequent certificates will be added as untrusted CA certificates to the local database.
The certificate being downloaded represents a certificate authority. When it is downloaded, a sequence of dialogs guides the user through the process of accepting the Certificate Authority and deciding whether to trust sites certified by the CA. If a certificate chain is being imported, the first certificate in the chain must be the CA certificate, and Communicator adds any subsequent certificates in the chain to the local database as untrusted CA certificates. application/x-x509-email-cert
The certificate being downloaded represents a certificate authority. When it is downloaded, a sequence of dialogs guides the user through the process of accepting the Certificate Authority and deciding whether to trust sites certified by the CA.
If a certificate chain is being imported, the first certificate in the chain must be the CA certificate, and Communicator adds any subsequent certificates in the chain to the local database as untrusted CA certificates.
The certificate being downloaded is a user certificate belonging to another user for use with S/MIME. If a certificate chain is being imported, the first certificate in the chain must be the user certificate, and Communicator adds any subsequent certificates to the local database as untrusted CA certificates. This process allows people or CAs to post their email certificates on web pages for download by other users who want to send them encrypted mail.
netscape OBJECT IDENTIFIER ::= { 2 16 840 1 113730 }
The hexadecimal byte value of this OID, when DER-encoded, is
0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42
The following OIDs are mentioned in this document:
netscape-data-type OBJECT IDENTIFIER :: = { netscape 2 }
netscape-cert-sequence OBJECT IDENTIFIER :: = { netscape-data-type 5 }
Previous
