AuthorityKeyIdentifier
	{
	keyIdentifier		[0] OCTET_STRING	OPTIONAL
	authorityCertIssuer	[1] GeneralNames	OPTIONAL
	authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL
	}

SubjectKeyIdentifier	OCTET_STRING

KeyUsage
	{
	BIT_STRING
		digitalSignature	0
		nonRepudiation		1
		keyEncipherment		2
		dataEncipherment	3
		keyAgreement		4
		keyCertSign		5
		cRLSign			6
		encipherOnly		7
		decipherOnly		8
	}

extKeyUsage
	{
	SEQUENCE of OBJECT_IDENTIFIER
	}

privateKeyUsagePeriod
	{
	notBefore	[0]	GeneralizedTime OPTIONAL
	notAfter	[1]	GeneralizedTime OPTIONAL
	}

certificatePoliciesSyntax
	SEQUENCE of PoliciesInformation

PoliciesInformation	XXX
policyMappings		XXX
supportedAlgorithms	XXX

subjectAltName
	GeneralNames sequence of GeneralName

GeneralName
	{
	otherName	[0] INSTANCE OF OTHER-NAME
	rfc882Name	[1] IA5String
	dNSName		[2] IA5String
	x400Address	[3] ORAddress
	directoryName	[4] Name
	ediPartyName	[5] 
				{
				nameAssigner	[0] DirectoryString OPTIONAL
				partyName	[1] DirectoryString
				}
	uniformResourceIdentifier [6] IA5String
	iPAddress	[7] OCTET_STRING
	registeredID	[8] OBJECT_IDENTIFIER
	}

issuerAltName
	GeneralNames sequence of GeneralName

subjectDirectoryAttribute SEQUENCE of Attribute

basicConstraints
	{
	cA 			BOOLEAN default FALSE
	pathLenConstraint	INTEGER OPTIONAL
	}

nameConstraints
	{
	permittedSubtrees [0] sequence of GeneralSubtree OPTIONAL
	excludedSubtrees [1] sequence of GeneralSubtree OPTIONAL
	}

GeneralSubtree
	{
	base	GeneralName
	minimum	[0] BaseDistance DEFAULT 0
	maximum	[1] BaseDistance OPTIONAL
	}

PolicyConstraints
	{
	requiredExplicitPolicy	[0] SkipCerts OPTIONAL
	inhibitPolicyMapping	[1] SkipCerts OPTIONAL
	}
SkipCerts == INTEGER