Description Provides details about the CA s certificate and all certificates that the CA will issue.

Boeing SecureBadge Medium G2 s Description Provides details about the CA s certificate and all certificates that the CA will issue. Content Owner Authentication Controls All future revisions to this document shall be approved by the content owner prior to release. Contents Certificate Lifecycle...2 Object Identifiers (OIDs)...3 Root Certificate Authority Profile(s)...4 Boeing PCA G2...4 Boeing PCA G2 to CBCA...5 Boeing Medium Qualified Subordination...6 Issuing Certificate Authority Profile(s)...7 Boeing SecureBadge Medium G2...7 Issued (s)...8 Boeing Medium SecureBadge Identity...8 Boeing Medium SecureBadge Signature...10 Boeing Medium SecureBadge Encryption... 11 Boeing Medium SecureBadge Card Authentication...12 Boeing Medium Enrollment Agent...13 Boeing Medium Content Signer...14 Boeing Medium Key Recovery Agent...15 Boeing Medium CA Exchange...16 Revision Record...17

Certificate Lifecycle This table depicts each certificate described within this document and the certificates validity period in years. Certificate Type Validity (years) 1 2 3 4 5 1 0 Boeing PCA G2 Root CA 20 Boeing SecureBadge Medium G2 Issuing CA 10 Boeing Medium Qualified Subordinate Boeing Medium SecureBadge Identity Boeing Medium SecureBadge Signature Boeing Medium SecureBadge Encryption Boeing Medium SecureBadge Card Authentication Boeing Medium Enrollment Agent Boeing Medium Content Signer Boeing Medium Key Recovery Agent Boeing PCA G2 to CBCA Boeing CA Exchange Qualified Subordination Issued Certificate Issued Certificate Issued Certificate Issued Certificate Issued Certificate Issued Certificate Issued Certificate Cross Certificate Issued Certificate 7 3 3 3 3 3 3 3 1 1/52

Object Identifiers (OIDs) The following table summarizes the Certificate Policy object identifiers (OIDs) used by the certificates detailed within this document. OID Number Description 1.3.6.1.4.1.73.15.3 Boeing Public Key Infrastructure 1.3.6.1.4.1.73.15.3.1 Boeing Certificate Policies 1.3.6.1.4.1.73.15.3.1.4 Boeing Medium Assurance Software 1.3.6.1.4.1.73.15.3.1.5 Boeing Medium Assurance Hardware 1.3.6.1.4.1.73.15.3.1.8 Boeing Medium Assurance Software CBP 1.3.6.1.4.1.73.15.3.1.9 Boeing Medium Assurance Hardware CBP 1.3.6.1.4.1.73.15.3.1.10 Boeing Medium Assurance Hardware Card Authentication

Root Certificate Authority Profile(s) Boeing PCA G2 Intended use... Establishes the Boeing SecureBadge Medium G2 CA s authority to issue MAH SecureBadge certificates. Authorized RAs... None Public Key Extended CN=Boeing PCA G2, OU=certservers, O=Boeing, C=US 20 years CN=Boeing PCA G2, OU=certservers, O=Boeing, C=US CA V0.0 Certificate Policies Name Basic Constraints Octet String All issuance policies Octet String critical=yes, Digital Signature, Non-Repudiation, Certificate Signing, Off-line CRL Signing, CRL Signing (0xc6) critical=yes, Type=CA, Path Length Constraint=None

Boeing PCA G2 to CBCA Intended use... Establishes the CertiPath Bridge CA certified trust by Boeing. Authorized RAs... None Public Key Extended CA CN=Boeing PCA G2, OU=certservers, O=Boeing, C=US 1 year CN=CertiPath Bridge CA, OU=Certification Authorities, O=CertiPath LLC, C=US Octet String Certificate Policies (1.3.6.1.4.1.73.15.3.1.4) (1.3.6.1.4.1.73.15.3.1.5) (1.3.6.1.4.1.73.15.3.1.8) (1.3.6.1.4.1.73.15.3.1.9) Name Basic Constraints Inhibit Any Policy Name Constraints Policy Mapping Octet String URL=http://crl.boeing.com/crl/Boeing%20PCA%20G2.crl URL=ldap://dir.boeing.com/CN=Boeing%20PCA%20G2,ou=pki,ou=certserv ers,o=boeing,c=us?certificaterevocationlist;binary URL=http://crl.boeing.com/crl/BoeingPCAG2.p7c URL=ldap://dir.boeing.com/CN=Boeing%20PCA%20G2,ou=pki,ou=certserv ers,o=boeing,c=us?crosscertificatepair;binary critical=yes, Certificate Signing, Off-line CRL Signing, CRL Signing (0x06) critical=yes, Type=CA, Path Length Constraint=None skipcerts=0 critical=yes, optional, excluded subtrees: RFC822 Name: boeing.com RFC822 Name:.boeing.com DNS Name: boeing.com Directory Address: O=Boeing, C=US (1.3.6.1.4.1.73.15.3.1.4)=(1.3.6.1.4.1.24019.1.1.1.17) (1.3.6.1.4.1.73.15.3.1.5)=(1.3.6.1.4.1.24019.1.1.1.18) (1.3.6.1.4.1.73.15.3.1.8)=(1.3.6.1.4.1.24019.1.1.1.20) (1.3.6.1.4.1.73.15.3.1.9)=(1.3.6.1.4.1.24019.1.1.1.21)

Boeing Medium Qualified Subordination Intended use... Identifies the qualified subordinate for the purposes of issuing cross certificates. Business Rules... None specified Authorized RAs... None Public Key CN=Boeing PCA G2, OU=certservers, O=Boeing, C=US 7 years CN=<first><last> Extended Qualified Subordination (1.3.6.1.4.1.311.10.3.10) Certificate Policies Application Policies Basic Constraints Octet String Octet String URL=http://crl.boeing.com/crl/Boeing%20PCA%20G2.crl URL=ldap://dir.boeing.com/CN=Boeing%20PCA%20G2,ou=pki,ou=certserv ers,o=boeing,c=us?certificaterevocationlist;binary URL=http://crl.boeing.com/crl/BoeingPCAG2.p7c URL=ldap://dir.boeing.com/CN=Boeing%20PCA%20G2,ou=pki,ou=certserv ers,o=boeing,c=us?crosscertificatepair;binary Policy Identifier=Qualified Subordination critical=yes, Type=End Entity, Path Length Constraint=None

Issuing Certificate Authority Profile(s) Boeing SecureBadge Medium G2 Intended use... Establishes the MAH CA s authority to issue MAH SecureBadges. Authorized RAs... MyID Public Key Extended CN=Boeing PCA G2, OU=certservers, O=Boeing, C=US 10 years CN=Boeing SecureBadge Medium G2, OU=certservers, O=Boeing, C=US CA.0 Octet String Certificate Policies (1.3.6.1.4.1.73.15.3.1.4) and (1.3.6.1.4.1.73.15.3.1.5) (1.3.6.1.4.1.73.15.3.1.10) Name Basic Constraints SubCA Octet String URL=http://crl.boeing.com/crl/Boeing%20PCA%20G2.crl URL=ldap://dir.boeing.com/CN=Boeing%20PCA%20G2,ou=pki,ou=certserv ers,o=boeing,c=us?certificaterevocationlist;binary URL=http://crl.boeing.com/crl/BoeingPCAG2.p7c URL=ldap://dir.boeing.com/CN=Boeing%20PCA%20G2,ou=pki,ou=certserv ers,o=boeing,c=us?crosscertificatepair;binary critical=yes, Digital Signature, Non-Repudiation, Certificate Signing, Off-line CRL Signing, CRL Signing (0xc6) critical=yes, Type=CA, Path Length Constraint=0

Issued (s) Boeing Medium SecureBadge Identity Intended use... Identifies an individual for Windows/application logon, connection to the BoeingNet wireless network, and authentication to WSSO. Business Rules... Base64 encoding of the certificate s public key published in the subject s directory entry in the people branch of EDS. Authorized RAs... MyID Public Key Extended CN=Boeing SecureBadge Medium G2, OU=certservers, O=Boeing, C=US 3 years CN=<first>.<mi>.<last>.<bemsid>, OU=people, O=boeing, C=us Client Authentication (1.3.6.1.5.5.7.3.2), Smart Card Logon (1.3.6.1.4.1.311.20.2.2), id-pkinit-kpclientauth (1.3.6.1.5.2.3.4) Octet String Octet String crl G2,ou=pki,ou=certservers,o=boeing,c=us?certificateRevocationList;binary crt URL=https://crl.boeing.com/crl/Boeing%20Medium%20Assurance%20Hard ware%20issuing%20ca%20g3.crt URL=http://crl.boeing.com/crl/Boeing%20Medium%20Assurance%20Hardw are%20issuing%20ca%20g3.p7c G2,ou=pki,ou=certservers,o=boeing,c=us?cACertificate;binary Boeing Medium SecureBadge Identity Template=(1.3.6.1.4.1.311.21.8.4456910.5413282.8343170.10132414.178 3414.214.7738237.9279910) Major Number=100 Minor Number=13 Certificate Policies (1.3.6.1.4.1.73.15.3.1.5) Application Policies Alternative Name Principal Name = Windows UPN URL : urn:uuid:<32 hex representing 128 bit GUID> (optional) others optional

critical=yes, Digital Signature (0x80)

Boeing Medium SecureBadge Signature Intended use... Identifies an individual for document and email signing. Business Rules... None specified Authorized RAs... MyID Public Key Extended CN=Boeing SecureBadge Medium G2, OU=certservers, O=Boeing, C=US 3 years CN=<first>.<mi>.<last>.<bemsid>, OU=people, O=boeing, C=US Document Signing (1.3.6.1.4.1.311.10.3.12), id-kpemailprotection (1.3.6.1.5.5.7.3.4), Adobe Authentic Document Trust (1.2.840.113583.1.1.5) Octet String Octet String crl G2,ou=pki,ou=certservers,o=boeing,c=us?certificateRevocationList;binary crt URL=https://crl.boeing.com/crl/Boeing%20Medium%20Assurance%20Hard ware%20issuing%20ca%20g3.crt URL=http://crl.boeing.com/crl/Boeing%20Medium%20Assurance%20Hardw are%20issuing%20ca%20g3.p7c G2,ou=pki,ou=certservers,o=boeing,c=us?cACertificate;binary Boeing Medium SecureBadge Signature Template=(1.3.6.1.4.1.311.21.8.4456910.5413282.8343170.10132414.178 3414.214.8704232.9666639) Major Number=100 Minor Number=10 Certificate Policies critical=no; (1.3.6.1.4.1.73.15.3.1.5) Application Policies Alternative Name RFC822 e-mail address, URL : urn:uuid:<32 hex representing 128 bit GUID> (optional) others optional critical=yes, Digital Signature, Non-Repudiation (0xc0)

Boeing Medium SecureBadge Encryption Intended use... Identifies an individual for use with email encryption. Business Rules... None specified Authorized RAs... MyID Public Key CN=Boeing SecureBadge Medium G2, OU=certservers, O=Boeing, C=US 3 years CN=<first>.<mi>.<last>.<bemsid>, OU=people, O=boeing, C=US Extended id-kp-emailprotection (1.3.6.1.5.5.7.3.4) Octet String Octet String crl G2,ou=pki,ou=certservers,o=boeing,c=us?certificateRevocationList;binary crt URL=https://crl.boeing.com/crl/Boeing%20Medium%20Assurance%20Hard ware%20issuing%20ca%20g3.crt URL=http://crl.boeing.com/crl/Boeing%20Medium%20Assurance%20Hardw are%20issuing%20ca%20g3.p7c G2,ou=pki,ou=certservers,o=boeing,c=us?cACertificate;binary Boeing Medium SecureBadge Encryption Template=(1.3.6.1.4.1.311.21.8.4456910.5413282.8343170.10132414.178 3414.214.13573540.6827603) Major Number=100 Minor Number=9 Certificate Policies critical=no; (1.3.6.1.4.1.73.15.3.1.5) Application Policies Alternative Name RFC822 e-mail address, URL : urn:uuid:<32 hex representing 128 bit GUID> (optional) others optional critical=yes, Key Encipherment (0x20)

Boeing Medium SecureBadge Card Authentication Intended use... Identifies a particular MAH SecureBadge. Business Rules... None specified Authorized RAs... MyID Public Key CN=Boeing SecureBadge Medium G2, OU=certservers, O=Boeing, C=US 3 years SERIALNUMBER=<serial number>, OU=securebadge, O=boeing, C=us Extended critical=yes, id-piv-cardauth (2.16.840.1.101.3.6.8) Octet String Octet String crl G2,ou=pki,ou=certservers,o=boeing,c=us?certificateRevocationList;binary crt URL=https://crl.boeing.com/crl/Boeing%20Medium%20Assurance%20Hard ware%20issuing%20ca%20g3.crt URL=http://crl.boeing.com/crl/Boeing%20Medium%20Assurance%20Hardw are%20issuing%20ca%20g3.p7c G2,ou=pki,ou=certservers,o=boeing,c=us?cACertificate;binary Boeing Medium SecureBadge Card Authentication Template=(1.3.6.1.4.1.311.21.8.4456910.5413282.8343170.10132414.178 3414.214.138861.8480808) Major Number=100 Minor Number=7 Certificate Policies (1.3.6.1.4.1.73.15.3.1.10) Application Policies Alternative Name URL=urn:uuid:<32 hex representing 128 bit GUID> (optional) others optional critical=yes, Digital Signature (0x80)

Boeing Medium Enrollment Agent Intended use... Identifies the MyID service account for requesting MAH SecureBadge certificates. Business Rules... None specified Authorized RAs... None Public Key CN=Boeing SecureBadge Medium G2, OU=certservers, O=Boeing, C=US 3 years CN=MyID Service, OU=Service Accounts, OU=BADGE, DC=badge, DC=pki, DC=boeing, DC=net Extended Enrollment Agent (1.3.6.1.4.1.311.20.2.1) Certificate Policies Application Policies Octet String Octet String crl G2,ou=pki,ou=certservers,o=boeing,c=us?certificateRevocationList;binary crt URL=https://crl.boeing.com/crl/Boeing%20Medium%20Assurance%20Hard ware%20issuing%20ca%20g3.crt URL=http://crl.boeing.com/crl/Boeing%20Medium%20Assurance%20Hardw are%20issuing%20ca%20g3.p7c G2,ou=pki,ou=certservers,o=boeing,c=us?cACertificate;binary Boeing Medium Enrollment Agent Template=(1.3.6.1.4.1.311.21.8.4456910.5413282.8343170.10132414.178 3414.214.5792733.2512321) Major Number=100 Minor Number=8 critical=yes, Digital Signature (0x80)

Boeing Medium Content Signer Intended use... Identifies the MyID service account to sign PIV content on the MAH SecureBadge. Business Rules... None specified Authorized RAs... None Public Key CN=Boeing SecureBadge Medium G2, OU=certservers, O=Boeing, C=US 3 years CN=MAHPIVContentSigner Extended critical=yes, id-fpki-pivi-content-signing (2.16.840.1.101.3.8.7) Certificate Policies Application Policies Octet String Octet String crl G2,ou=pki,ou=certservers,o=boeing,c=us?certificateRevocationList;binary crt URL=https://crl.boeing.com/crl/Boeing%20Medium%20Assurance%20Hard ware%20issuing%20ca%20g3.crt URL=http://crl.boeing.com/crl/Boeing%20Medium%20Assurance%20Hardw are%20issuing%20ca%20g3.p7c G2,ou=pki,ou=certservers,o=boeing,c=us?cACertificate;binary Template= Boeing Medium Content Signer (1.3.6.1.4.1.311.21.8.4456910.5413282.8343170.10132414.1783414.214.1 4193373.13075180) Major Number=100 Minor Number=8 critical=yes, Digital Signature (0x80)

Boeing Medium Key Recovery Agent Intended use... Identifies the MyID service account as a key recovery agent. Business Rules... None specified Authorized RAs... None Public Key CN=Boeing SecureBadge Medium G2, OU=certservers, O=Boeing, C=US 3 years CN=MAHKeyRecoveryAgent Extended Key Recovery Agent (1.3.6.1.4.1.311.21.6) Certificate Policies Application Policies SMIME Capabilities Octet String Octet String crl G2,ou=pki,ou=certservers,o=boeing,c=us?certificateRevocationList;binary crt URL=https://crl.boeing.com/crl/Boeing%20Medium%20Assurance%20Hard ware%20issuing%20ca%20g3.crt URL=http://crl.boeing.com/crl/Boeing%20Medium%20Assurance%20Hardw are%20issuing%20ca%20g3.p7c G2,ou=pki,ou=certservers,o=boeing,c=us?cACertificate;binary Template= Boeing Medium Key Recovery Agent (1.3.6.1.4.1.311.21.8.4456910.5413282.8343170.10132414.1783414.214.1 2212852.10596623) Major Number=100 Minor Number=8 critical=yes, Key Encipherment (0x20) [1]SMIME Capability Object ID=1.2.840.113549.3.4 Parameters=02 02 00 80 [2]SMIME Capability Object ID=1.3.14.3.2.7 [3]SMIME Capability Object ID=1.2.840.113549.3.7

Boeing Medium CA Exchange Intended use... Identifies the MAH SecureBadge CA for the purposes of key archival. Business Rules... None specified Authorized RAs... None Public Key CN=Boeing SecureBadge Medium G2, OU=certservers, O=Boeing, C=US 7 days CN=Boeing SecureBadge Medium G2-Xchg, OU=certservers, O=Boeing, C=US Extended Private Key Archival (1.3.6.1.4.1.311.21.5) Octet String Octet String crl G2,ou=pki,ou=certservers,o=boeing,c=us?certificateRevocationList;binary crt URL=https://crl.boeing.com/crl/Boeing%20Medium%20Assurance%20Hard ware%20issuing%20ca%20g3.crt URL=http://crl.boeing.com/crl/Boeing%20Medium%20Assurance%20Hardw are%20issuing%20ca%20g3.p7c G2,ou=pki,ou=certservers,o=boeing,c=us?cACertificate;binary Template= CAExchange (1.3.6.1.4.1.311.21.8.4456910.5413282.8343170.10132414.1783414.214.1.26) Major Number=106 Minor Number=1 Certificate Policies (1.3.6.1.4.1.73.15.3.1.4) (1.3.6.1.4.1.73.15.3.1.5) (1.3.6.1.4.1.73.15.3.1.10) Application Policies Alternative Name Policy Identifier=Private Key Archival critical=yes, Key Encipherment (0x20)

Revision Record Document Type Artifact Changes in this version Release Date 5/17/2018 /Revision 1.3 Changed " Templates" to " Profiles" to align with industry standards Added object identifiers (OID) section 4/1/2018 v1.2 Update names for OIDs and revision due to CertiPath Interoperability report (OID and AIA changes) 5/17/2018 added proper descriptions to OIDs in the eku attribute; in the AIA attribute changed https to http in the P7C URL due to CA publishing limitation Author and Contributors Author: Matt Costello Signatures for release Approval: Signature on File Authentication Controls 9/8/2016 Matthew W. Costello Organization Date Copyright 2016 The Boeing Company

Document Type Artifact Changes in this version Release Date 3/1/2016 /Revision 1.0 Initial version Author and Contributors Author: Contributors: Dan Chock Matt Costello Signatures for release Approval: Signature on File Authentication Controls 3/1/2016 Matthew W. Costello Organization Date Copyright 2016 The Boeing Company