Netscape MANAGEMENT SYSTEM 4.5 - PLUG-IN Manual page 123

The rule checks that the value of the
than minutes in the future; the
leadTime
the plug-in implementation. The ability to configure the value of the
parameter in the policy rule allows you to prohibit end entities from requesting
certificates whose validity starts too far in the future, and yet allows some amount
of toleration of clock-skew problems. For example, if the current date and time is
01/15/2000 (mm/dd/YYYY) and 1:30 p.m., the value of the
set to 3:00 p.m., and that the
because the validity requested begins more than 10 minutes in the future.
The rule also checks that the value of the
more than minutes in the past. For example, if the current date and time is
lagTime
01/15/2000 (mm/dd/yyyy) and 1:30 p.m., the value of the
set to 1:15 p.m., and the
because the user has requested a certificate 15 minutes in the past. Note that a
request with
notBefore
NOTE
When applying the validity constraints policy, the server does not
check the lag time in all certificate requests. It checks the lag time
only in those requests that are based on the CRMF
protocol—currently, CRMF is the only enrollment format that allows
an end entity to request a specific validity period with the
notBefore
You may apply this policy to end-entity certificate enrollment requests. It can be
useful to restrict the length of the validity period for certificates issued by the
server. For example, if you want users to renew their certificates at least once a
year, you can set the maximum validity period to one year. If you want to limit the
frequency of certificate renewals to keep down administrative costs, you can set the
minimum validity period to six months.
By default, any validity requested in a certificate enrollment request cannot exceed
beyond that of the expiration time specified in the CA's signing certificate. If the
Certificate Manager (CA) finds a request with validity period extending beyond
that of its CA signing certificate, it automatically truncates the validity period to
end on the day the CA signing certificate expires. For example, if the CA signing
certificate expires on June 10, 2004, any enrollment request with validity period
beyond June 10, 2004 will have validity period truncated to end on June 10, 2004.
notBefore
leadTime
is 10 minutes, then the request would fail,
leadTime
notBefore
is set to 10 minutes, the request would fail
lagTime
set to 1:25 p.m. would have passed, however.
attribute set to a time in the past.
Chapter 3
ValidityConstraints Plug-in Module
attribute in the request is not more
is a configurable parameter in
notBefore
attribute in the request is not
notBefore
Constraints Policy Plug-in Modules
leadTime
attribute is
attribute is
123