Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual page 82

Chapter 2. Making Rules for Issuing Certificates
that certificate. Check the constraints set on the CA signing certificate before changing the issuing
rules for a subordinate CA.
To change the certificate issuance rules, do the following:
1. Open the Certificate System Console.
pkiconsole https://server.example.com:9445/ca
2. Select the Certificate Manager item in the left navigation tree of the Configuration tab.
Figure 2.1. The General Settings Tab
3. The General Setting tab of the Certificate Manager tab contains the following fields:
• Override validity nesting requirement. This checkbox sets whether the Certificate Manager
can issue certificates with validity periods longer than the CA signing certificate validity period.
If this checkbox is not selected and the CA receives a request with validity period longer than
the CA signing certificate's validity period, it automatically truncates the validity period to end on
the day the CA signing certificate expires.
• Certificate Serial Number. These fields display the serial number range for certificates issued
by the Certificate Manager. The server assigns the serial number in the Next serial number
field to the next certificate it issues and the number in the Ending serial number to the last
certificate it issues.
The serial number range allows multiple CAs to be deployed and balances the number of
certificates each CA issues. The combination of an issuer name and a serial number uniquely
identifies a certificate.
NOTE
The serial number ranges with cloned CAs are fluid. All cloned CAs share a
common configuration entry which defines the next available range. When one
CA starts running low on available numbers, it checks this configuration entry and
claims the next range. The entry is automatically updated, so that the next CA gets
a new range.
60