The DutchGrid medium-security Certification Authority root-certificate defined keyUsage extensions "digitalSignature", "certificateSign", and "cRLSign" in the X./509v3 certificate extensions. The X.509 basic constraints is set to "CA:true". the Netscape certificate type is set to "SSL CA", "S/MIME CA", and "Object signing CA".
The certificates issued by the DutchGrid medium-security Certification Authority under this policy will have the basic constraints set to "CA:false", and the keyUsage bits set to "digitalSignature, nonRepudiation, dataEncypherment, keyEncyphterment". Other X.509v3 extensions may be added. By default, certificates issued to hosts and servers will have a subjectAltName dNSName extension. The Netscape cert type may be set to "server, client, email".
The keyUsage field will be marked as critical.