1 authorityKeyIdentifier=keyid,issuer 2 basicConstraints=CA:FALSE 3 keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment