Extension-Specific Policy Module Reference; Authinfoaccessext - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual

Extension-Specific Policy Module Reference

Extension-Specific Policy Module Reference
To enable you to add standard and private extensions to end-entity certificates, CS provides
a set of policy plug-in modules; each module enables you to add a particular extension to a
certificate request.
When deciding whether to add any of the X.509 v3 certificate extensions, keep in mind that
not all applications support X.509 v3 extensions. Among the applications that do support
extensions, not all applications will recognize every extension.
You can use these modules to configure a Certificate Manager and Registration Manager to
add extensions to certificates. Both subsystems add extensions to a certificate request when
it undergoes policy processing. Keep in mind that the changes made to a request by a
Registration Manager may be overwritten by a Certificate Manager when it subjects the
request to its own policy checks.
In general, you should make custom extensions noncritical if you want your certificates
supported by other applications. (Other applications most likely will not understand your
extension.)
By default, only noncritical extensions are added to certificates. This ensures that the
resulting certificates can be used with all clients. If you add a critical extension, the
resulting certificate can only be used by clients that support that extension.
Additionally, the server also provides a module for adding any custom, ASN.1 type
extensions. If you determine that the default policy modules do not meet your requirements
entirely, you can develop a custom module using CS SDK.

AuthInfoAccessExt

The plug-in module enables you to add the Authority Information
AuthInfoAccessExt
Access Extension. The extension specifies how an application validating a certificate can
access information, such as on-line validation services and CA policy statements, about the
CA that has issued the certificate. Note that this extension should not be used to point
directly to the CRL location maintained by a CA; the CRL Distribution Points extension
explained in "CRLDistributionPointsExt" on page 501 allows you to reference to CRL
locations.
For general information about this extension, see "authorityInfoAccess" on page 731.
During installation, CS automatically creates an instance of the authority information access
extension policy, named , that is disabled by default.
AuthInfoAccessExt
Chapter 12 Policies 489