Name Constraints Extension Default - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

Parameter
cRLSign
encipherOnly
decipherOnly
Table B.8. Key Usage Extension Default Configuration Parameters
B.1.9. Name Constraints Extension Default
This default attaches a Name Constraints extension to the certificate. The extension is used in CA
certificates to indicate a name space within which the subject names or subject alternative names in
subsequent certificates in a certificate chain should be located.
For general information about this extension, see
The following constraints can be defined with this default:
• Extension Constraint; see
• No Constraints; see
This default defines up to five locations for both the permitted subtree and the excluded subtree and
sets parameters for each location. The parameters are marked with an n in the table to show with
which location the parameter is associated.
Parameter
critical
PermittedSubtreesn.min
Section B.2.3, "Extension
Section B.2.6, "No Constraint".

Name Constraints Extension Default

Description
used for CA certificates. Select true to set the
option.
Specifies whether to set the extension for CA
signing certificates that sign CRLs. Select true
to set.
Specifies whether to set the extension if the
public key is only for encrypting data while
performing key agreement. If this bit is set,
keyAgreement should also be set. Select true
to set.
Specifies whether to set the extension if the
public key is only for decrypting data while
performing key agreement. If this bit is set,
keyAgreement should also be set. Select true
to set.
Section B.3.9, "nameConstraints".
Constraint".
Description
Select true to mark this extension critical; select
false to mark the extension noncritical.
Specifies the minimum number of permitted
subtrees.
• -1 specifies that the field should not be set in
the extension.
• 0 specifies that the minimum number of
subtrees is zero.
• n must be an integer that is greater than
zero. It sets the minimum required number of
subtrees.
435