Netscape Certificate Download Specification
Navigator 3.0 Review Version
Send comments to: cert-ext@netscape.com
This document describes the data formats used by Netscape Navigator
3.x and Netscape 2.x servers for installing certificates.
Data Formats
Netscape products can accept certificates in several formats. In all cases
the certificates are X509 version 1, 2, or 3.
Binary Formats
The Netscape certificate loader will recognize several binary formats.
They are:
-
DER encoded certificate:
-
This is a single binary DER encoded certificate.
-
PKCS #7 certificate
chain:
-
This is a
PKCS #7SignedData
object. The only significant field in the SignedData object is the
certificates. In particular, the signature and the contents are
ignored. In future versions of the software, the crls will also
be used. The
PKCS
#7 format allows multiple certificates to be downloaded at once. See
section below on
Certificate Chains for more information
about how multiple certificates are handled.
-
Netscape Certificate Sequence:
-
This is a simpler format for downloading certificate chains. It consists
of a
PKCS #7ContentInfo
structure, wrapping a sequence of certificates. The value of the contentType
field should be
netscape-cert-sequence (see Object
Identifiers), while the content field is the following structure:
CertificateSequence ::= SEQUENCE OF Certificate
This format allows multiple certificates to be downloaded at once. See
section below on Certificate Chains for more information
about how multiple certificates are handled.
Text Formats
Any of the above binary formats can also be imported in text form. The
text form begins with the following line:
-----BEGIN CERTIFICATE-----
Following this line should be the certificate data, which can be in any
of the binary formats described above. This data should be base64 encoded
as described by RFC 1113.
Following the data should be the following line:
-----END CERTIFICATE-----
Importing Certificate Chains
Several of the formats described above can contain several certificates.
When the Netscape certificate decoder encounters one of these collections
of multiple certificates they are handled in the following way:
-
The first certificate is processed in a context specific manner, depending
upon how it is being imported. For the Navigator, this handling will depend
upon the mime Content-Type that is used on the object being downloaded.
For Netscape servers it will depend upon the options selected in the server
administration interface.
-
Subsequent certificates are all treated the same. If the certificates contain
the SSL-CA bit in the netscape-cert-typecertificate
extension and do not already exist in the local certificate database,
they are added as untrusted CAs. In this way they may be used for certificate
chain validation, as long as there is a trusted CA somewhere along the
chain.
Importing Certificates into Netscape Navigator
Navigator imports certificates via the HTTP protocol. There are several
mime content types that are used to indicate to the navigator what type
of certificate is being imported. These mime types are:
-
application/x-x509-user-cert
-
The certificate being downloaded is a user certificate belonging to the
user operating the navigator. If the private key associated with the certificate
does not exist in the user's local key database, then an error dialog is
generated and the certificate is not imported. If a certificate chain is
being imported then the first certificate in the chain must be the user
certificate, and any subsequent certificates will be added as untrusted
CA certificates to the local database.
-
application/x-x509-ca-cert
-
The certificate being downloaded represents a Certificate Authority. When
it is downloaded the user will be shown a sequence of dialogs that will
guide them through the process of accepting the Certificate Authority and
deciding if they wish to trust sites certified by the CA. If a certificate
chain is being imported then the first certificate in the chain must be
the CA certificate, and any subsequent certificates will be added as untrusted
CA certificates to the local database.
Note: the Navigator checks that the size of the object being downloaded
matches the size of the encoded certificates. Therefore it is important
to ensure that no extra characters, such as NULLs or Newlines are added
at the end of the object.
Importing Certificates into Netscape Servers
Server certificates are imported via the server admin interface. Certificates
are pasted into a text input field in an HTML form, and then the form is
submitted to the admin server. Since the certificates are pasted into text
fields, only the text formats described above are supported for servers.
The type of certificate being imported is specified by the server administrator
by selections made on the admin pages. If a certificate chain is being
imported then the first certificate in the chain must be the server or
CA certificate, and any subsequent certificates will be added as untrusted
CA certificates to the local database.
Object Identifiers
The base of all Netscape object ids is:
netscape OBJECT IDENTIFIER ::= { 0x60, 0x86, 0x48, 0x01,
0x86, 0xf8, 0x42 }
Note that this is the Hexadecimal byte value of the DER encoded OID.
The following OIDs are mentioned in this document:
netscape-data-type OBJECT IDENTIFIER :: = { netscape, 0x02
}
netscape-cert-sequence OBJECT IDENTIFIER :: = { netscape-data-type,
0x05 }