This article describes the requirements that each certificate in an X.509 chain must meet to be trusted for use with encrypted or S/MIME-signed email.
In addition to these requirements, the chain must anchor to a Certificate Authority (CA) certificate that is explicitly trusted by Google for this purpose. You can also choose to accept root certificates from CAs you trust. For more information, go to root certificate guidelines.
Notes:
- Google provides and maintains a list of CA certificates trusted by Gmail for S/MIME. The list of CAs is trusted solely at Google's discretion. Google retains the right to remove root CAs at any time without notice.
- Make sure installed extensions don't contradict other extensions in the same certificate. For example, if nsCertTypes are defined, they must cover the exact same uses as the key usage extension, extended key usage extension, and basic constraints extension.
Certificate chain rules
Root CA
| Field | Value |
|---|---|
|
Issuer DN |
Must identify the CA. For example, the DN must not be a generic value such as "Certificate Authority." |
|
Subject DN |
The encoded form must be byte-for-byte identical with the Issuer DN. |
|
Subject Public Key Info |
rsaEncryption with an RSA modulus of 2048, 3072, or 4096. Or ecPublicKey using secp256r1 or secp384r1. |
Intermediate CA certificates other than from issuing intermediate CA
Use this information if there's more than one intermediate CA between the root and end entity, directly or indirectly.
The issuing intermediate CA is the intermediate CA that issues the end entity certificate. This section is applicable to any intermediate CAs in the chain other than the issuing intermediate CA.
| Field | Value | ||
|---|---|---|---|
| Version | Version 3 | ||
| Serial Number | Must be greater than zero (0). When DER encoded as an INTEGER, must be less than or equal to 20 bytes. | ||
| Signature Algorithm | RSA with SHA‐256, SHA‐384, or SHA‐512. Or ECDSA with SHA‐256, SHA‐384, or SHA‐512 | ||
| Issuer DN |
Must be byte-for-byte identical with the Subject DN of the issuing CA. |
||
| Validity Period | No stipulation | ||
| Subject DN | No stipulation | ||
| Subject Public Key Info |
rsaEncryption with an RSA modulus of 2048, 3072, or 4096. Or ecPublicKey using secp256r1 or secp384r1 |
||
| Extension | Presence | Critical | Value |
| Key Usage | Required | Yes |
Bit positions must be set for: keyCertSign |
| Basic Constraints | Required | Yes | cA field must be set true pathLenConstraint field should be present |
| CRL Distribution Points | Required | No |
At least one publicly accessible HTTP |
| (note) | Revocation servers must comply with the following sections of the CA/Browser Forum Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates, version 1.3.2 or greater:
|
||
| Any other extensions | May be present | ||
Intermediate CA certificate that issues the end entity
Important: At least one intermediate CA certificate must be present in the chain. That is, the root must not issue end-entity certificates directly.
| Field | Value | ||
|---|---|---|---|
| Version | Version 3 | ||
| Serial Number | Must be greater than zero (0), and, when DER encoded as an INTEGER, be less than or equal to 20 bytes. | ||
| Signature Algorithm |
RSA with SHA‐256, SHA‐384, or SHA‐512. Or ECDSA with SHA‐256, SHA‐384, or SHA‐512. |
||
| Issuer DN |
Must be byte-for-byte identical with the Subject DN of the issuing CA. |
||
| Validity Period |
Difference between notBefore and notAfter Should not be longer than 10 years and must not be longer than 20 years. |
||
| Subject DN |
Should indicate the use of the CA. |
||
| Subject Public Key Info |
rsaEncryption with an RSA modulus of 2048, 3072, or 4096. Or ecPublicKey using secp256r1 or secp384r1 |
||
| Extension | Presence | Critical | Value |
| Key Usage | Required | Yes |
Bit positions must be set for: Other bit positions must not be set |
| Extended Key Usage | Required | Either | Must be present: emailProtection Must not be present: serverAuth codeSigning timeStamping anyExtendedKeyUsage |
|
Basic Constraints |
Required | Yes |
cA field must be set true |
| Certificate Policies | Optional | No |
A policyIdentifier SHOULD be provided that identifies the policy under which the CA operates, and SHOULD NOT be anyPolicy. |
| CRL Distribution Points | Required | No |
At least one publicly accessible HTTP |
| (note) |
Revocation servers must operated in accordance with the following sections of the CA/Browser Forum Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates, version 1.3.2 or greater:
|
||
| Any other extensions | Optional | No |
May be present. |
End-entity certificate
| Field | Value | ||
|---|---|---|---|
| Version | Version 3 | ||
| Serial Number |
Must be greater than zero (0) and must contain at least 64 unpredictable bits. Note: Will be updated to reflect CA/Browser Forum Baseline Requirements Certificate Policy end entity serial number entropy requirements. |
||
| Signature Algorithm | RSA with SHA‐256, SHA‐384, or SHA‐512. Or ECDSA with SHA‐256, SHA‐384, or SHA‐512. | ||
| Issuer DN |
Must be byte-for-byte identical with the Subject DN of the issuing CA. |
||
| Validity Period |
Difference between notBefore and notAfter must not be longer than 27 months. notBefore time must represent time of signature plus or minus 48 hours. |
||
| Subject DN |
Any Subject Relative Distinguished Names other than email address must be rigorously validated before issuance, using a publicly documented and audited procedure. Refer to Section 3.2.3 “Authentication of Individual Identity” of the CA/Browser Forum Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates, version 1.3.2 or greater for an acceptable procedure. Any email addresses (for example, in commonName or emailAddress fields) must also be present in the Subject Alternate Name extension as an rfc822Name. |
||
| Subject Public Key Info |
rsaEncryption with an RSA modulus of 2048, 3072, or 4096. Or ecPublicKey using secp256r1 or secp384r1 |
||
| Extension | Presence | Critical | Value |
| Key Usage (RSA) | Required | Yes |
Bit positions must be set for either: Other bit positions must not be set. |
| Key Usage (ECDH) | Required |
Bit positions must be set for: Other bit positions must not be set. |
|
| Extended Key Usage | Required | Either |
Must be present: |
|
Basic Constraints |
Optional | Either |
If present, cA field must not be set true |
| Certificate Policies | Required | No |
Must be present: A policyIdentifier must be provided that identifies the policy under which the certificate was issued, and must not be anyPolicy. May be present: cps, if present, must contain a valid HTTP or HTTPS link to the CPS under which the certificate was issued. |
|
Authority Information Access |
Optional | No |
caIssuers and, if present, ocsp, must contain at least one publicly accessible HTTP uniformResourceIdentifier. AccessDescription must not contain any labels or parameters that are specific to an individual certificate. |
| CRL Distribution Points | Required | No |
At least one publicly accessible |
|
(note) |
Revocation servers must operate in accordance with the following sections of the CA/Browser Forum Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates, version 1.3.2 or greater:
|
||
|
Subject Alternative Name |
Required | No |
Must contain at least one item of type rfc822Name. |
|
Any other extensions |
Optional | No | May be present. |
