| Field | VPN IPsec Certificate Value |
| Version | V3 (2) |
| Serial Number | Must be unique |
| Issuer Signature Algorithm | sha-1WithRSAEncryption |
| Issuer Distinguished Name | cn=ORC ACES <CA Name>, o=ORC PKI, c=US |
| Validity Period | 2 years from date of issue |
| Subject Distinguished Name | cn=<Host URL | IP Address | Host Name>, ou=<Department/Agency>, o=<Organization>, c=US |
| Subject Public Key Information | 1024 bit RSA key modulus, rsaEncryption |
| Issuer Unique Identifier | Not Present |
| Subject Unique Identifier | Not Present |
| Issuer’s Signature | sha-1WithRSAEncryption |
| Extensions | |
| Authority Key Identifier | c=no; octet string |
| Subject Key Identifier | c=no; octet string |
| Key Usage | c=yes; digitalSignature |
| Extended Key Usage | {1.3.6.1.5.5.7.3.1}, {1.3.6.1.5.5.7.3.2}, {1.3.6.1.5.5.7.3.5}, {1.3.6.1.5.5.7.3.6}, {1.3.6.1.5.5.7.3.7}, {1.3.6.1.5.5.8.2.2} |
| Private Key Usage Period | Not Present |
| Certificate Policies | c=no; {2 16 840 1 101 3 21 1 10}; optional: id-fpki-common-devices::={2 16 840 1 101 3 2 1 3 6} |
| Policy Mapping | Not Present |
| Subject Alternative Name | c=no; always present, Host URL | IP Address | Host Name | RFC822Name |
| Issuer Alternative Name | Not Present |
| Subject Directory Attributes | Not Present |
| Basic Constraints | c=yes; cA=false |
| Name Constraints | Not Present |
| Policy Constraints | Not Present |
| Authority Information Access | c=no; ocsp=http://eva.orc.com , caIssuers=ldap://aces-ds.orc.com/cn=ORC ACES <CA Name>, o=ORC PKI, c=US?cacertificate;binary, caIssuers=http://aces.orc.com/caCerts/<CAType>.p7b |
| CRL Distribution Points | c=no; always present, {ldap://aces-ds.orc.com/cn=ORC ACES <CA Name>, o=ORC PKI, c=US?certificaterevocationlist;binary} {http://aces.orc.com/CRLs/<CAType>.crl} |
