ABCDEFGHIJKLMNOPQRSTUVWXYZAA
1
FieldMozillaGmailUS Federal
2
VersionVersion 3
3
Serial NumberUnique positive integer
4
Signature AlgorithmSignature Algorithm Choice of the following algorithms:
id-RSASSA-PSS (1.2.840.113549.1.1.10)
sha256WithRSAEncryption (1.2.840.113549.1.1.11)
sha384WithRSAEncryption (1.2.840.113549.1.1.12)
sha512WithRSAEncryption (1.2.840.113549.1.1.13)
ecdsa-with-Sha256 (1.2.840.10045.4.3.2)
ecdsa-with-Sha384 (1.2.840.10045.4.3.3)
ecdsa-with-Sha512 (1.2.840.10045.4.3.4)

For id-RSASSA-PSS, specify the SHA-256 hash algorithm (2.16.840.1.101.3.4.2.1) as a parameter. For all other RSA algorithms the parameters field is NULL.
5
Issuer DNMUST identify the CA.
For example, the DN must not be a generic value such as "Certificate Authority."
Issuer DN must be encoded exactly as it is encoded in the Subject DN of this certificate
6
Validity periodutcTime (YYMMDDHHMMSSZ) for dates up to and including 2049
generalTime (YYYYMMDDHHMMSSZ) for dates after 2049
7
Subject DNThe encoded form MUST be byte-for-byte identical with the Issuer DN.Must be meaningful and must use one of the name forms specified
8
Subject Public Key InfoRSA keys whose modulus size in bits is divisible by 8, and is at least 2048. ECDSA keys using one of the following curves: P-256, P-384rsaEncryption with an RSA modulus of 2048, 3072, or 4096.
Or ecPublicKey using secp256r1 or secp384r1.
9
Subject Public Key InfoMust be either RSA or elliptic curve:
RSA Encryption (1.2.840.113549.1.1.1)
Elliptic Curve (1.2.840.10045.2.1)

For RSA, modulus must be 2048, 3072, or 4096 bits and the parameters field is NULL. For EC, public key must be encoded in uncompressed form. ECParameters is one of the following curves:
Curve P-256 (1.2.840.10045.3.1.7)
Curve P-384 (1.3.132.0.34)

For RSA certificates that expire after 12/31/2030 minimum key size is 3072
10
11
Extension
12
Key Usage Critical = TRUE

keyCertSign, cRLSign
13
Basic ConstraintsCritical = TRUE

cA:TRUE
Path length constraints should not be included.
14
Subject Key IdentifierDerived using a cryptographic hash of the public key.
15
Subject Information AccessOptional

id-ad-caRepository (1.3.6.1.5.5.7.48.5) containing an HTTP URI pointing to a file that has an extension of .p7c. The file is a certs-only Cryptographic Message Syntax file (RFC 5751) that includes valid CA certificates issued by the subject CA.
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100