Other extensions

The SKI extension contains a short (20-byte) hash of the certificate's public key, providing a unique identifier used to build and validate certificate chains. The SKI value is typically calculated and automatically added by the issuing CA. For private certificates issued by DigiCert® Private CA, you can choose to omit this extension from issued certificates by deleting it from the certificate profile.

The AKI extension identifies the public key used by the issuing CA to sign the certificate. It helps clients match the certificate to its issuer’s public key during chain building and validation. The AKI value is typically calculated and added automatically by the issuing CA. For private certificates issued by DigiCert® Private CA, you can choose to omit this extension from issued certificates by deleting it from the certificate profile.

The Basic constraints extension indicates whether a certificate is a CA certificate (authorized to issue other certificates) or an end-entity certificate. For CA certificates, it can optionally include a path length constraint that limits how many intermediate CAs can appear below it in the certification path. The Basic constraints extension is typically added automatically by the issuing CA. For private certificates issued by DigiCert® Private CA, you can choose to omit this extension from issued certificates by deleting it from the certificate profile.

The Certificate policies extension identifies the policy or policies under which a certificate was issued, indicating the CA's practices and assurance levels for the certificate. Trust Lifecycle Manager supports the Certificate policies extension in private certificates, except those issued from CertCentral. Use this extension to provide a list of policies and assurance levels for your organization, where each policy includes:

The IAN extension lists alternative names or identifiers for the issuing CA. Trust Lifecycle Manager supports the IAN extension in the Generic User Certificate template, containing a single directoryName object with the distinguished name (DN) attributes of the issuer.

The following example illustrates the JSON format for the IAN object in an API request. To include the IAN as a fixed value in issued certificates, enter only the value itself in the certificate profile.

 "extensions": {
    "issuer_alt_name": {
      "directory_name": {
        "value": "CN=www.digicert.com,O=DigiCert Inc,OU=Development,L=Lehi,ST=UT,C=US"
      }
    }
  }

The LEI extension contains a 20-character alphanumeric code that uniquely identifies a legal entity worldwide, as defined by the Global Legal Entity Identifier Foundation (GLEIF). It provides a standardized way to identify organizations in certificates, enhancing transparency and trust in financial and business transactions. Trust Lifecycle Manager supports the LEI extension in certificate profiles, with either a fixed value or value provided at the time of enrollment.

The following example illustrates the JSON format for the LEI object in an API request.

"extensions": {
    "lei": {
        "value": "529900T8BM49AURSDO55",
        "critical": false
    }
}

The LEI-Role extension identifies the role of the legal entity specified in the Legal Entity Identifier (LEI) extension. It provides context for the entity's role in the certificate, for example as a subject, issuer, or registration authority. Trust Lifecycle Manager supports the LEI-Role extension in certificate profiles, with either a fixed value or value provided at the time of enrollment.

The following example illustrates the JSON format for the LEI-Role object in an API request.

"extensions": {
    "lei_role": {
        "value": "9867000000015043",
        "critical": false
    }
}

The SID extension associates a certificate with a Windows security principal by embedding the unique identifier of a user, group, or computer account. This enables strong certificate mapping in Windows Active Directory (AD) domains. Trust Lifecycle Manager supports the SID extension in various base templates for users, devices, or servers.

The following example illustrates the JSON format for the SID object in an API request. The additional_values array must include a single object with:

 "extensions": {
    "security_identifier": {
        "additional_values": [
          {
            "oid": "1.3.6.1.4.1.311.25.2.1",
            "value": "S-1-5-21-1167576838-571283062-3552286512-507"
          }
        ]
      }
  }

To include the SID as a fixed value in issued certificates, enter only the Windows SID value itself in the Extensions > Security identifier field of the certificate profile.