Nameconstraints; Ocspnocheck; Policyconstraints - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

nameConstraints

If the keyUsage extension is present, critical or not, it is used to select from multiple certificates for a
given operation. For example, it is used to distinguish separate signing and encryption certificates for
users who have separate certificates and key pairs for operations.
A.3.9. nameConstraints
A.3.9.1. OID
2.5.29.30
A.3.9.2. Criticality
PKIX Part 1 requires that this extension be marked critical.
A.3.9.3. Discussion
This extension, which can used in CA certificates only, defines a name space within which all subject
names in subsequent certificates in a certification path must be located.
A.3.10. OCSPNocheck
A.3.10.1. OID
1.3.6.1.5.5.7.48.4
A.3.10.2. Criticality
This extension should be noncritical.
A.3.10.3. Discussion
The extension is meant to be included in an OCSP signing certificate. The extension tells an OCSP
client that the signing certificate can be trusted without querying the OCSP responder (since the reply
would again be signed by the OCSP responder, and the client would again request the validity status
of the signing certificate). This extension is null-valued; its meaning is determined by its presence or
absence.
Since the presence of this extension in a certificate will cause OCSP clients to trust responses signed
with that certificate, use of this extension should be managed carefully. If the OCSP signing key is
compromised, the entire process of validating certificates in the PKI will be compromised for the
duration of the validity period of the certificate. Therefore, certificates using OCSPNocheck should be
issued with short lifetimes and be replaced frequently.
A.3.11. policyConstraints
A.3.11.1. OID
2.5.29.36
469