standalone Self-Signed S/MIME Certificate
EDWARDS dual-key certificate [C + S + E]
0. primary key, Certify [C]
X.509: ROOT/Issuer
| Field/Extension | Content | Optional/Critical | |
|---|---|---|---|
| Version | Version: 3 (0x2) | ||
| Serial Number | containing at least 64 bits of output from a CSPRNG, e.g. | 0x402ad043d9884e67 | |
| Signature Algorithm | ED448 | ||
| Validity | Not Before | ... | |
| Not After | ... | ||
| Issuer DN = Subject DN | commonName | ... | |
| givenName | |||
| surname | |||
| pseudonym | |||
| serialNumber | |||
| title | |||
| streetAddress | |||
| localityName | |||
| stateOrProvinceName | |||
| postalCode | |||
| countryName | |||
| organizationName | |||
| organizationalUnitName | |||
| organizationIdentifier | |||
| Subject Public Key Info | Public Key Algorithm and EdDSA Public-Key | ED448 and ED448 | |
| X509v3 extensions | Basic Constraints | CA:TRUE | critical |
| Key Usage | keyCertSign, cRLSign | critical | |
| Extended Key Usage | clientAuth, emailProtection | ||
| Subject Key Identifier | 256-bit SHAKE-256 hash of the DER encoding of the subjectPublicKey (pin-shake256-hex) |
1. subkey, Sign [S]
X.509: Subscriber/Subject
| Field/Extension | Content | Optional/Critical | |
|---|---|---|---|
| Version | Version: 3 (0x2) | ||
| Serial Number | containing at least 64 bits of output from a CSPRNG, e.g. | 0x734ca918d07e03c8 | |
| Signature Algorithm | ED448 | ||
| Issuer | based on the Distinguished Name (Subject) in the issuer's certificate | ... | |
| Validity | Not Before | ... | |
| Not After | ... | ||
| Subject DN | NULL SEQUENCE (NULL-DN) | SEQUENCE {} | |
| Subject Public Key Info | Public Key Algorithm and EdDSA Public-Key | ED25519 and ED25519 | |
| X509v3 extensions | Basic Constraints | CA:FALSE | critical |
| Key Usage | digitalSignature | critical | |
| Extended Key Usage | clientAuth, emailProtection | ||
| Authority Key Identifier | keyID: based on the subject key identifier in the issuer's certificate | ||
| Subject Key Identifier | 256-bit SHAKE-256 hash of the DER encoding of the subjectPublicKey (pin-shake256-hex) | ||
| Subject Alternative Name | IA5String (rfc822Name) or/and UTF-8 (otherName) test@example.com | critical |
2. subkey, Encrypt [E]
X.509: Subscriber/Subject
| Field/Extension | Content | Optional/Critical | |
|---|---|---|---|
| Version | Version: 3 (0x2) | ||
| Serial Number | containing at least 64 bits of output from a CSPRNG, e.g. | 0x1b3e0eb4b68f79ff | |
| Signature Algorithm | ED448 | ||
| Issuer | based on the Distinguished Name (Subject) in the issuer's certificate | ... | |
| Validity | Not Before | ... | |
| Not After | ... | ||
| Subject DN | NULL SEQUENCE (NULL-DN) | SEQUENCE {} | |
| Subject Public Key Info | Public Key Algorithm and EdDH Public-Key | X25519 and X25519 | |
| X509v3 extensions | Basic Constraints | CA:FALSE | critical |
| Key Usage | keyAgreement | critical | |
| Extended Key Usage | emailProtection | ||
| Authority Key Identifier | keyID: based on the subject key identifier in the issuer's certificate | ||
| Subject Key Identifier | 256-bit SHAKE-256 hash of the DER encoding of the subjectPublicKey (pin-shake256-hex) | ||
| Subject Alternative Name | IA5String (rfc822Name) or/and UTF-8 (otherName) test@example.com | critical |