•
The server is configured to set
, and
keyCertsign
key-usage bits specified in the default policy rule match the bits specified in the
enrollment form (
(see Figure 4-13).
Figure 4-13
Key usage bit-specific variables in the Certificate Manager enrollment form
RMCertKeyUsageExt Rule
The policy rule named
module. This rule is for setting the appropriate key-usage bits in Registration
Managers' signing certificates; see section "Signing Key Pair and Certificate" in
Chapter 14, "Managing CMS Keys and Certificates" of CMS Installation and Setup
Guide. By default, the rule is configured as follows:
•
The rule is enabled.
•
The predicate expression (
is applied only to Registration Manager signing certificate requests.
•
The extension is marked noncritical (to comply with the PKIX
recommendation).
digitalSignature
bits in CA signing certificates. Notice that the
cRLSign
) for requesting CA signing certificates
ManCAEnroll.html
RMCertKeyUsageExt
HTTP_PARAMS.certType==ra
Chapter 4
KeyUsageExt Plug-in Module
,
nonRepudiation
is an instance of the
KeyUsageExt
) ensures that the rule
Certificate Extension Plug-in Modules
,
195