Defining header for stapled certificate extensions

Stef Walter stef at
Tue Sep 9 03:58:26 PDT 2014

... redirecting some discussion here to the mailing list with Nikos'
permission ...

>On 09.09.2014 12:56, Stef Walter wrote:
>> I'm working on defining an installed p11-kit header for stapled
>> certificate extensions:

(In reply to Nikos Mavrogiannopoulos)
> I realized that there is no predefined set of extensions in [0].
> Which extensions may be present in a p11-kit trust module, and is
> there some way to list them?

You can search for all objects with class CKO_X_CERTIFICATE_EXTENSION.
For all stapled extensions for a given certificate search for all
objects with class CKO_X_CERTIFICATE_EXTENSION *and* the appropriate

> I mean is it only the "Extended Key Usage"

No. All manner of stapled certificate extensions are possible. These can
be defined as input to the p11-kit-trust module as well.

For example ca-certificates in Fedora has added a BasicConstraints
extension to one of the CA's that was missing it.

The format for this was explicitly unstable until now. However now that
we're finishing up work on how stapled certificate extensions are done,
the file format should be documented.

> that you set (and if yes, which are the available values in it?).

As you're aware, inside of an Extended Key Usage, you find OID's for the
various usages. The common usages are found here:

There is no definitive set. Enterprises often add their own. For example
Microsoft has an broad set of ExtendedKeyUsage OID's they use in their
products and certificates.




stef at

More information about the p11-glue mailing list