Table of Contents
Advertisement
CertificateRenewalWindowExt Plug-in Module
same chapter. For example, if you want to include different policy statements in
different types of certificates, you should create multiple instances of the policy
module and configure each instance with the appropriate policy OID and predicate
expression.
CertificateRenewalWindowExt Plug-in Module
The
CertificateRenewalWindowExt
renewal window extension policy. This policy enables you to configure Certificate
Management System to add the Certificate Renewal Window Extension to certificates.
The extension, which must be noncritical, aids in managing the life cycle of a
certificate by specifying a process to follow for renewing a certificate and by
defining a time window when automatic renewal of the certificate should be
attempted.
Every certificate issued by Certificate Management System has a validity period
beyond which it cannot be used. In order to continue to participate in the PKI-using
system beyond this validity period, the entity owning the certificate must renew
the certificate. Renewal of a certificate essentially means getting a new certificate
for the existing key pair with a new validity time period (and updated attributes).
Once a certificate is issued, the owner of the certificate may attempt its renewal any
time. To prevent certificate owners from renewing their certificates too often and
thus reduce the overhead of processing new certificate requests, the CA can use a
policy that restricts the time period when certificate renewal may occur. For
example, the CA can use a policy that limits the renewal process to the last few
weeks or days of validity of the certificate, thus defining a certificate renewal
window. In general, the renewal window must be sufficient for the renewal to
occur, but at the same time delay the renewal as long as possible to best utilize a
certificate's life time.
The certificate-renewal process is often different than the enrollment process an
entity uses to obtain the certificate; this is because the entity already owns a key
pair that is associated with his or her identity. For example, in Certificate
Management System, the certificate-renewal process for end users is different than
the enrollment process they used to obtain the certificate. To renew their
certificates, end users go to the certificate-renewal interface of Certificate
Management System and submit their original certificates; for details, see section
"Authentication of End Users During Certificate Renewal" in Chapter 15, "Setting
Up End-User Authentication" of CMS Installation and Setup Guide.
154
Netscape Certificate Management System Plug-ins Guide • October 2001
plug-in module implements the certificate
Advertisement
Table of Contents
