Bring profiles into the modern day

aarongable · aarongable · commit be0fc314fc02 · 2025-10-15T15:41:11.000-07:00
Overhaul Section 7.1 Profiles, with two goals in mind: - Removing deprecated pieces of our profiles, such as OCSP and the `Internet Security Research Group` Organization Name. - Giving them the same format as the profiles in Section 7.1 of the Baseline Requirements. Fixes #188 Fixes #304
diff --git a/CP-CPS.md b/CP-CPS.md
@@ -988,54 +988,115 @@ See [Section 5.5.5](#555-requirements-for-time-stamping-of-records).
 
 ## 7.1 Certificate profile
 
-All fields are as specified in RFC 5280 and the Baseline Requirements, including fields and extensions not specifically mentioned.
-
-### Root CA Certificate
-
-| Field or extension             | Value                                                                   |
-| ------------------------------ | ------------------------------------------------------------------------|
-| Serial Number                  | Unique, with 64 bits of output from a CSPRNG                            |
-| Issuer Distinguished Name      | C=US, O=Internet Security Research Group or O=ISRG, and a meaningful CN |
-| Subject Distinguished Name     | Same as Issuer DN                                                       |
-| Validity Period                | Up to 25 years                                                          |
-| Basic Constraints              | cA=True, pathLength constraint absent (critical)                        |
-| Subject Public Key             | See Sections 6.1.5, 6.1.6, and 7.1.3.1                                  |
-| Key Usage                      | keyCertSign, cRLSign (critical)                                         |
-
-### Subordinate CA Certificate
-
-| Field or extension             | Value                                                                         |
-| ------------------------------ | ----------------------------------------------------------------------------- |
-| Serial Number                  | Unique, with 64 bits of output from a CSPRNG                                  |
-| Issuer Distinguished Name      | Derived from Issuer certificate                                               |
-| Subject Distinguished Name     | C=US, O=Let's Encrypt, and a meaningful CN                                    |
-| Validity Period                | Up to 8 years                                                                 |
-| Basic Constraints              | cA=True, pathLength constraint 0 (critical)                                   |
-| Key Usage                      | keyCertSign, cRLSign, digitalSignature (critical)                             |
-| Extended Key Usage             | TLS Server Authentication and optionally TLS Client Authentication            |
-| Certificate Policies           | CAB Forum Domain Validated (2.23.140.1.2.1)                                   |
-| Authority Information Access   | Contains CA Issuers URL and optionally an OCSP URL; URLs vary based on Issuer |
-| Subject Public Key             | See Sections 6.1.5, 6.1.6, and 7.1.3.1                                        |
-| CRL Distribution Points        | Contains a CRL URL; URL varies based on Issuer                                |
-
-### DV-SSL Subscriber Certificate
-
-| Field or extension                | Value                                                                             |
-| --------------------------------- | --------------------------------------------------------------------------------- |
-| Serial Number                     | Unique, with 64 bits of output from a CSPRNG                                      |
-| Issuer Distinguished Name         | Derived from Issuer certificate                                                   |
-| Subject Distinguished Name        | CN=none, or one of the values from the Subject Alternative Name extension         |
-| Validity Period                   | Up to 100 days                                                                    |
-| Basic Constraints                 | cA=False (critical)                                                               |
-| Key Usage                         | digitalSignature, and optionally keyEncipherment (critical)                       |
-| Extended Key Usage                | TLS Server Authentication and optionally TLS Client Authentication                |
-| Certificate Policies              | CAB Forum Domain Validated (2.23.140.1.2.1)                                       |
-| Authority Information Access      | Contains CA Issuers URL and optionally an OCSP URL; URLs vary based on Issuer     |
-| Subject Public Key                | See Sections 6.1.5, 6.1.6, and 7.1.3.1                                            |
-| Subject Alternative Name          | A sequence of 1 to 100 dNSNames or ipAddresses (critical if no CN)                |
-| Precertificate poison             | Per RFC 6962 (precertificates only, critical)                                     |
-| Signed Certificate Timestamp List | Per RFC 6962 (final certificates only)                                            |
-| CRL Distribution Point            | If present, contains a URI to the CRL shard whose scope includes this certificate |
+All certificates issued by ISRG are issued in accordance with exactly one of the following profiles.
+
+### Root CA Certificate Profile
+
+| **Field**                      | **Description** |
+| ----                           | ------          |
+| `tbsCertificate`               | |
+|     `version`                  | See [Section 7.1.1](#711-version-numbers) |
+|     `serialNumber`             | Approximately 128 bits, including at least 64 bits of output from a CSPRNG |
+|     `signature`                | See [Section 7.1.3.2](#7132-signature-algorithmidentifier) |
+|     `issuer`                   | C=US, O=ISRG, and a meaningful CN |
+|     `validity`                 | At most 9132 days |
+|     `subject`                  | Byte-for-byte identical to the `issuer` field |
+|     `subjectPublicKeyInfo`     | See Sections [6.1.5](#615-key-sizes), [6.1.6](#616-public-key-parameters-generation-and-quality-checking), and [7.1.3.1](#7131-subjectpublickeyinfo) |
+|     `issuerUniqueID`           | Not present |
+|     `subjectUniqueID`          | Not present |
+|     `extensions`               | |
+|         `basicConstraints`     | Critical, with `cA` set to true |
+|         `keyUsage`             | Critical, with the `keyCertSign` (5) and `cRLSign` (6) bits set |
+|         `subjectKeyIdentifier` | Contains a truncated hash of the `subjectPublicKey`, per Section 2(1) of RFC 7093 |
+|         Any other extension    | Not present |
+| `signatureAlgorithm`           | Byte-for-byte identical to the `tbsCertificate.signature` |
+| `signatureValue`               | A signature appropriate to the `signatureAlgorithm` field |
+
+### Cross-Certified Subordinate CA Certificate Profile
+
+| **Field**                            | **Description** |
+| ----                                 | ------          |
+| `tbsCertificate`                     | |
+|     `version`                        | See [Section 7.1.1](#711-version-numbers) |
+|     `serialNumber`                   | Approximately 128 bits, including at least 64 bits of output from a CSPRNG |
+|     `signature`                      | See [Section 7.1.3.2](#7132-signature-algorithmidentifier) |
+|     `issuer`                         | Byte-for-byte identical to the `subject` field of the Issuing CA |
+|     `validity`                       | At most 8 years |
+|     `subject`                        | Byte-for-byte identical to the `subject` field of the existing CA Certificate |
+|     `subjectPublicKeyInfo`           | See Sections [6.1.5](#615-key-sizes), [6.1.6](#616-public-key-parameters-generation-and-quality-checking), and [7.1.3.1](#7131-subjectpublickeyinfo) |
+|     `issuerUniqueID`                 | Not present |
+|     `subjectUniqueID`                | Not present |
+|     `extensions`                     | |
+|         `authorityInformationAccess` | Contains the HTTP URI of the Issuing CA's Certificate |
+|         `authorityKeyIdentifier`     | Byte-for-byte identical to the `subjectKeyIdentifier` of the Issuing CA |
+|         `basicConstraints`           | Critical, with `cA` set to true |
+|         `certificatePolicies`        | Contains the Baseline Requirements Domain Validated Reserved Policy Identifier (OID 2.23.140.1.2.1) |
+|         `crlDistributionPoints`      | Contains the HTTP URI of a CRL issued by the Issuing CA |
+|         `keyUsage`                   | Critical, with the `keyCertSign` (5) and `cRLSign` (6) bits set |
+|         `subjectKeyIdentifier`       | Byte-for-byte identical to the `subjectKeyIdentifier` of the existing CA Certificate |
+|         Any other extension          | Not present |
+| `signatureAlgorithm`                 | Byte-for-byte identical to the `tbsCertificate.signature` |
+| `signatureValue`                     | A signature appropriate to the `signatureAlgorithm` field |
+
+### TLS Subordinate CA Certificate Profile
+
+| **Field**                            | **Description** |
+| ----                                 | ------          |
+| `tbsCertificate`                     | |
+|     `version`                        | See [Section 7.1.1](#711-version-numbers) |
+|     `serialNumber`                   | Approximately 128 bits, including at least 64 bits of output from a CSPRNG |
+|     `signature`                      | See [Section 7.1.3.2](#7132-signature-algorithmidentifier) |
+|     `issuer`                         | Byte-for-byte identical to the `subject` field of the Issuing CA |
+|     `validity`                       | At most 8 years |
+|     `subject`                        | C=US, O=Let's Encrypt, and a meaningful CN |
+|     `subjectPublicKeyInfo`           | See Sections [6.1.5](#615-key-sizes), [6.1.6](#616-public-key-parameters-generation-and-quality-checking), and [7.1.3.1](#7131-subjectpublickeyinfo) |
+|     `issuerUniqueID`                 | Not present |
+|     `subjectUniqueID`                | Not present |
+|     `extensions`                     | |
+|         `authorityInformationAccess` | Contains the HTTP URI of the Issuing CA's Certificate |
+|         `authorityKeyIdentifier`     | Byte-for-byte identical to the `subjectKeyIdentifier` of the Issuing CA |
+|         `basicConstraints`           | Critical, with `cA` set to true and `pathLenConstraint` set to 0 |
+|         `certificatePolicies`        | Contains the Baseline Requirements Domain Validated Reserved Policy Identifier (OID 2.23.140.1.2.1) |
+|         `crlDistributionPoints`      | Contains the HTTP URI of a CRL issued by the Issuing CA |
+|         `extKeyUsage`                | Contains `id-kp-serverAuth` (OID 1.3.6.1.5.5.7.3.1) |
+|         `keyUsage`                   | Critical, with the `digitalSignature` (0), `keyCertSign` (5), and `cRLSign` (6) bits set |
+|         `subjectKeyIdentifier`       | Contains a truncated hash of the `subjectPublicKey`, per Section 2(1) of RFC 7093 |
+|         Any other extension          | Not present |
+| `signatureAlgorithm`                 | Byte-for-byte identical to the `tbsCertificate.signature` |
+| `signatureValue`                     | A signature appropriate to the `signatureAlgorithm` field |
+
+### Subscriber (Server) Certificate Profile
+
+| **Field**                                | **Description** |
+| ----                                     | ------          |
+| `tbsCertificate`                         | |
+|     `version`                            | See [Section 7.1.1](#711-version-numbers) |
+|     `serialNumber`                       | Approximately 144 bits, including at least 64 bits of output from a CSPRNG |
+|     `signature`                          | See [Section 7.1.3.2](#7132-signature-algorithmidentifier) |
+|     `issuer`                             | Byte-for-byte identical to the `subject` field of the Issuing CA |
+|     `validity`                           | At most 100 days |
+|     `subject`                            | CN omitted, or optionally contains one of the values from the Subject Alternative Name extension |
+|     `subjectPublicKeyInfo`               | See Sections [6.1.5](#615-key-sizes), [6.1.6](#616-public-key-parameters-generation-and-quality-checking), and [7.1.3.1](#7131-subjectpublickeyinfo) |
+|     `issuerUniqueID`                     | Not present |
+|     `subjectUniqueID`                    | Not present |
+|     `extensions`                         | |
+|         `authorityInformationAccess`     | Contains the HTTP URI of the Issuing CA's Certificate |
+|         `authorityKeyIdentifier`         | Byte-for-byte identical to the `subjectKeyIdentifier` of the Issuing CA |
+|         `basicConstraints`               | Critical, with `cA` set to false |
+|         `certificatePolicies`            | Contains the Baseline Requirements Domain Validated Reserved Policy Identifier (OID 2.23.140.1.2.1) |
+|         `crlDistributionPoints`          | Contains the HTTP URI of a CRL issued by the Issuing CA |
+|         `extKeyUsage`                    | Contains `id-kp-serverAuth` (OID 1.3.6.1.5.5.7.3.1), and optionally `id-kp-clientAuth` (OID 1.3.6.1.5.5.7.3.2) |
+|         `keyUsage`                       | Critical, with the `digitalSignature` (0) bit set, and optionally the `keyEnciperment` (2) bit set |
+|         `SignedCertificateTimestampList` | Contains at least two SCTs from logs run by different operators |
+|         `subjectAltName`                 | A sequence of 1 to 100 names of type `dNSName` or `ipAddress` (critical if CN omitted) |
+|         `subjectKeyIdentifier`           | Optionally contains a truncated hash of the `subjectPublicKey`, per Section 2(1) of RFC 7093 |
+|         Any other extension              | Not present |
+| `signatureAlgorithm`                     | Byte-for-byte identical to the `tbsCertificate.signature` |
+| `signatureValue`                         | A signature appropriate to the `signatureAlgorithm` field |
+
+### Precertificate Profile
+
+Identical to the Subscriber (Server) Certificate Profile, except that the `SignedCertificateTimestampList` extension is omitted, and a critical "CT poison" extension (OID 1.3.6.1.4.1.11129.2.4.3) is included. ISRG Precertificates are issued directly by the Issuing CA, not by a delegated Precertificate Signing CA.
 
 ### 7.1.1 Version number(s)
 
