US Higher Education Root (USHER)
Certification Authority
CA1
Certificate Profile for
Subscriber Authority Certificates

Version 1.03 : April 19, 2007
Field Name Value Type Value or Example Specified Explanation
Version
integer
0x2
Y
A version 3 certificate is specified
Serial Number
a unique integer
7C
Y
 
Signature Algorithm
Algorithm
SHA1/RSA
Y
 
Issuer
DN
cn=USHER CA1 v1, ou=CA1, o=US Higher Education Root, c=US
Y
USHER did not use DC Naming to avoid potential interoperability problems.
Validity
Time
Valid until February 26, 2026
Y
Expires the day before the USHER CA1 root certificate. We plan to rekey after 10 years. Sooner if needed, perhaps later if possible so Subscribers will most likely need new Authority Certificates before the 20 year period expires.
Subject
DN
cn=SubscriberCA Name, ou=OrganizationalUnit, o=Organization, l=OrgCity, s=OrgState, c= Two-Letter ISO 3166 Country Code
N
DN as specified by the Subscriber in its certificate request. CN must be a commonly used name for the Subscriber CA. If the Subscriber is a US organization, then C=US and S=Org State. If the Subscriber is not a US organization, then C=Two-letter ISO 3166 country code and S= is optional. OU is optional except where needed to ensure name uniqueness.
Public Key
RSA
 
Y
Subscribers are required to use a 2048 bit RSA key pair. USHER CA1 will sign certificate requests that contain a 1024 bit RSA key only upon special approval from the USHER Policy Authority but for a shorter, 10-year validity period.
Certificate Extensions
Key Usage
  Certificate Signing, CRL Signing(06)
Y
This extension will be marked critical
Basic Constraints
Constraints
CA=true
Y
Critical
Certificate Policy
anyPolicy OID
2.5.29.32.0
Y Not critical
CPS Pointer URI https://www.usherca.org/practices/ca1/cps.pdf
Y
Not critical. A redacted version of the practices document will be made available on-line in PDF format
CRL Distribution Points URI http://h1.usherca.org/crl/ca1.crl
http://h2.usherca.org/crl/ca1.crl
Y NonCritical; USHER CA1 will issue CRLs and make them available via http. USHER CA1 will issue a new CRL at least each month (31 days) and by the end of the next business day after receiving any request to revoke a certificate.
Authority Information Access URI
id-ad-caIssuers
http://h1.usherca.org/aia/ca1-certs.p7b
http://h2.usherca.org/aia/ca1-certs.p7b
Y At least two AIA URLs located at different points on the Internet will be specified.
Authority Key Identifier KeyID See RFC-3280 for details Y Not critical. Only the keyIdentifier field will be populated.
Subject Key Identifier KeyID See RFC-3280 for details Y Not critical. Only the keyIdentifier field will be populated.


Notes: