Table of Contents
Advertisement
Because the renewal process requires end users to remember when their certificates
expire and renew them before the expiry date, some clients provide built-in
support for automated renewal. Inclusion of the certificate renewal window
extension in certificates is useful in a PKI setup with such clients; such a setup
eliminates the need for the owner of the certificate to manually submit a renewal
request to the CA and install the renewed certificate. For example, assume you
have deployed clients that can automatically submit certificate-renewal requests to
Certificate Management System. If you issue certificates with the certificate
renewal window extension to these clients, they can then read this extension for the
renewal window and automatically get the certificate renewed from the CA during
that window.
For a PKI setup without clients that can handle automated certificate renewals,
Certificate Management System enables administrators to easily manage certificate
renewals using the following features:
•
The renewal notification job, which reminds users to renew their certificates
before they expire.
•
The renewal constraints policy, which determines whether expired certificates
can be renewed; see "RenewalConstraints Plug-in Module" on page 101.
•
The renewal validity constraints policy, which controls when users can renew
their certificates and what should be the validity period in renewed certificates;
see "RenewalValidityConstraints Plug-in Module" on page 104.
Unlike some of the other policy modules, Certificate Management System does not
create an instance of the certificate renewal window extension policy during
installation. If you want the server to add this extension to certificates, you must
create an instance of the
For instructions, see section "Step 4. Add New Policy Rules" in Chapter 18,
"Setting Up Policies" of CMS Installation and Setup Guide.
Configuration Parameters of
CertificateRenewalWindowExt
In the CMS configuration file, the
identified as
<subsystem>.Policy.impl.CertificateRenewalWindowExt.
class=com.netscape.certsrv.policy.CertificateRenewalWindowExt
is
or
<subsystem>
ca
In the CMS window, the module is identified as
Figure 4-6 shows how the configurable parameters for the module are displayed in
the CMS window.
CertificateRenewalWindowExt
CertificateRenewalWindowExt
(prefix identifying the subsystem).
ra
Chapter 4
CertificateRenewalWindowExt Plug-in Module
module and configure it.
module is
CertificateRenewalWindowExt
Certificate Extension Plug-in Modules
, where
.
155
Advertisement
Table of Contents
