US Higher Education Root (USHER)
Certification Authority
CA1
Certificate Profile for
Subscriber Authority Certificates

Version 1.03 : April 19, 2007

Field Name Value Type Value or Example Specified Explanation

Version integer 0x2 Y A version 3 certificate is specified

Serial Number a unique integer 7C Y

Signature Algorithm Algorithm SHA1/RSA Y

Issuer DN cn=USHER CA1 v1, ou=CA1, o=US Higher Education Root, c=US Y USHER did not use DC Naming to avoid potential interoperability problems.

Validity Time Valid until February 26, 2026 Y Expires the day before the USHER CA1 root certificate. We plan to rekey after 10 years. Sooner if needed, perhaps later if possible so Subscribers will most likely need new Authority Certificates before the 20 year period expires.

Subject DN cn=SubscriberCA Name, ou=OrganizationalUnit, o=Organization, l=OrgCity, s=OrgState, c= Two-Letter ISO 3166 Country Code N DN as specified by the Subscriber in its certificate request. CN must be a commonly used name for the Subscriber CA. If the Subscriber is a US organization, then C=US and S=Org State. If the Subscriber is not a US organization, then C=Two-letter ISO 3166 country code and S= is optional. OU is optional except where needed to ensure name uniqueness.

Public Key RSA Y Subscribers are required to use a 2048 bit RSA key pair. USHER CA1 will sign certificate requests that contain a 1024 bit RSA key only upon special approval from the USHER Policy Authority but for a shorter, 10-year validity period.

Certificate Extensions

Key Usage Certificate Signing, CRL Signing(06) Y This extension will be marked critical

Basic Constraints Constraints CA=true Y Critical

Certificate Policy anyPolicy OID 2.5.29.32.0 Y Not critical

CPS Pointer URI https://www.usherca.org/practices/ca1/cps.pdf Y Not critical. A redacted version of the practices document will be made available on-line in PDF format

CRL Distribution Points URI http://h1.usherca.org/crl/ca1.crl
http://h2.usherca.org/crl/ca1.crl Y NonCritical; USHER CA1 will issue CRLs and make them available via http. USHER CA1 will issue a new CRL at least each month (31 days) and by the end of the next business day after receiving any request to revoke a certificate.

Authority Information Access URI
id-ad-caIssuers http://h1.usherca.org/aia/ca1-certs.p7b
http://h2.usherca.org/aia/ca1-certs.p7b Y At least two AIA URLs located at different points on the Internet will be specified.

Authority Key Identifier KeyID See RFC-3280 for details Y Not critical. Only the keyIdentifier field will be populated.

Subject Key Identifier KeyID See RFC-3280 for details Y Not critical. Only the keyIdentifier field will be populated.

Field Name	Value Type	Value or Example	Specified	Explanation
Version	integer	0x2	Y	A version 3 certificate is specified
Serial Number	a unique integer	7C	Y
Signature Algorithm	Algorithm	SHA1/RSA	Y
Issuer	DN	cn=USHER CA1 v1, ou=CA1, o=US Higher Education Root, c=US	Y	USHER did not use DC Naming to avoid potential interoperability problems.
Validity	Time	Valid until February 26, 2026	Y	Expires the day before the USHER CA1 root certificate. We plan to rekey after 10 years. Sooner if needed, perhaps later if possible so Subscribers will most likely need new Authority Certificates before the 20 year period expires.
Subject	DN	cn=SubscriberCA Name, ou=OrganizationalUnit, o=Organization, l=OrgCity, s=OrgState, c= Two-Letter ISO 3166 Country Code	N	DN as specified by the Subscriber in its certificate request. CN must be a commonly used name for the Subscriber CA. If the Subscriber is a US organization, then C=US and S=Org State. If the Subscriber is not a US organization, then C=Two-letter ISO 3166 country code and S= is optional. OU is optional except where needed to ensure name uniqueness.
Public Key	RSA		Y	Subscribers are required to use a 2048 bit RSA key pair. USHER CA1 will sign certificate requests that contain a 1024 bit RSA key only upon special approval from the USHER Policy Authority but for a shorter, 10-year validity period.
Certificate Extensions
Key Usage		Certificate Signing, CRL Signing(06)	Y	This extension will be marked critical
Basic Constraints	Constraints	CA=true	Y	Critical
Certificate Policy	anyPolicy OID	2.5.29.32.0	Y	Not critical
CPS Pointer	URI	https://www.usherca.org/practices/ca1/cps.pdf	Y	Not critical. A redacted version of the practices document will be made available on-line in PDF format
CRL Distribution Points	URI	http://h1.usherca.org/crl/ca1.crl http://h2.usherca.org/crl/ca1.crl	Y	NonCritical; USHER CA1 will issue CRLs and make them available via http. USHER CA1 will issue a new CRL at least each month (31 days) and by the end of the next business day after receiving any request to revoke a certificate.
Authority Information Access	URI id-ad-caIssuers	http://h1.usherca.org/aia/ca1-certs.p7b http://h2.usherca.org/aia/ca1-certs.p7b	Y	At least two AIA URLs located at different points on the Internet will be specified.
Authority Key Identifier	KeyID	See RFC-3280 for details	Y	Not critical. Only the keyIdentifier field will be populated.
Subject Key Identifier	KeyID	See RFC-3280 for details	Y	Not critical. Only the keyIdentifier field will be populated.

Notes:

Specified column legend

Y	The profile specifies the use of this field as documented.
N	The profile does not specify the usage but may recommend a way to use the field.
italics	Example of an optional element.

The USHER Policy Authority may change this profile from time to time as technology advances.

US Higher Education Root (USHER) Certification Authority CA1 Certificate Profile for Subscriber Authority Certificates

US Higher Education Root (USHER)
Certification Authority
CA1
Certificate Profile for
Subscriber Authority Certificates