The DutchGrid medium-security Certification Authority root-certificate defined keyUsage extensions "digitalSignature", "certificateSign", and "cRLSign" in the X./509v3 certificate extensions. The X.509 basic constraints is set to "CA:true". the Netscape certificate type is set to "SSL CA", "S/MIME CA", and "Object signing CA".
The certificates issued by the DutchGrid medium-security Certification Authority under this policy will have the basic constraints set to "CA:false", and the keyUsage bits set to "digitalSignature, nonRepudiation, dataEncypherment, keyEncyphterment". The Netscape cert type is set to "server, client, email".
The keyUsage field may be marked as critical on request of the subscriber.