This is the list of proposed certificate extensions:

netscape-cert-type:

The value is a bit-string, where the individual bit positions are defined as:

bit-0	SSL-client - this cert is certified for SSL client authentication use
bit-1	SSL-server - this cert is certified for SSL server authentication use
bit-5	SSL-CA - this cert is certified for issuing certs for SSL use

netscape-base-url:

The value is an IA5String. When present this string is added to the beginning of all relative URLs in the certificate. This extension can be considered an optimization to reduce the size of the URL extensions.

netscape-revocation-url:

The value is an IA5String. It is a relative or absolute URL that can be used to check the revocation status of a certificate. The revocation check will be performed as an HTTP GET method using a url that is the concatenation of revocation-url and certificate-serial-number. Where the certificate-serial-number is encoded as a string of ascii hexadecimal digits. For example, if the netscape-base-url is https://www.certs-r-us.com/, the netscape-revocation-url is cgi-bin/check-rev.cgi?, and the certificate serial number is 173420, the resulting URL would be: https://www.certs-r-us.com/cgi-bin/check-rev.cgi?02a56c

The server should return a document with a Content-Type of application/x-netscape-revocation. The document should contain a single ascii digit, '1' if the certificate is not curently valid, and '0' if it is curently valid.

netscape-ca-revocation-url:

The value is an IA5String. It is a relative or absolute URL that can be used to check the revocation status of any certificates that are signed by the CA that this certificate belongs to. This extension is only valid in CA certificates. The use of this extension is the same as the netscape-revocation-url extension.

netscape-cert-renewal-url:[May be supported in 3.0]

The value is an IA5String. It is a relative or absolute URL that points to a certificate renewal form. The renewal form will be accessed with an HTTP GET method using a url that is the concatenation of renewal-url and certificate-serial-number. Where the certificate-serial-number is encoded as a string of ascii hexadecimal digits. For example, if the netscape-base-url is https://www.certs-r-us.com/, the netscape-cert-renewal-url is cgi-bin/check-renew.cgi?, and the certificate serial number is 173420, the resulting URL would be:

https://www.certs-r-us.com/cgi-bin/check-renew.cgi?02a56c

The document returned should be an HTML form that will allow the user to request a renewal of their certificate.

netscape-ca-policy-url:

The value is an IA5String. It is a relative or absolute URL that points to a web page that describes the policies under which the certificate was issued.

netscape-ssl-server-name:[Not supported until 3.0b5]

The value is an IA5String. It is a "shell expression" that can be used to match the hostname of the SSL server that is using this certificate. It is recommended that if the server's hostname does not match this pattern the user be notified and given the option to terminate the SSL connection. If this extension is not present then the CommonName in the certificate subject's distinguished name is used for the same purpose.

netscape-comment:

The value is an IA5String. It is a comment that may be displayed to the user when the certificate is viewed.

netscape OBJECT IDENTIFIER ::= { 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42 }

 The values for certificate extension names are:

netscape-cert-extension OBJECT IDENTIFIER :: = { netscape, 0x01 }
netscape-cert-type OBJECT IDENTIFIER ::= { netscape-cert-extension, 0x01 }
netscape-base-url OBJECT IDENTIFIER ::= { netscape-cert-extension, 0x02 }
netscape-revocation-url OBJECT IDENTIFIER ::= { netscape-cert-extension, 0x03 }
netscape-ca-revocation-url OBJECT IDENTIFIER ::= { netscape-cert-extension, 0x04 }
netscape-cert-renewal-url OBJECT IDENTIFIER ::= { netscape-cert-extension, 0x07 }
netscape-ca-policy-url OBJECT IDENTIFIER ::= { netscape-cert-extension, 0x08 }
netscape-ssl-server-name OBJECT IDENTIFIER ::= { netscape-cert-extension, 0x0c }
netscape-comment OBJECT IDENTIFIER ::= { netscape-cert-extension, 0x0d }