Table of Contents
Advertisement
Each of these forms embed HTTP input variables (for key-usage bits) that are
considered appropriate for the certificate being requested using that form. If you
want, you may create additional instances of the key usage extension policy, one
each for each client certificate enrollment form and configure these instances as
appropriate. Be sure to use the correct predicate expression to distinguish the
certificates to thus avoid setting incorrect bits.
ObjSignCertKeyUsageExt Rule
The policy rule named
module. This rule is for setting the appropriate key-usage bits in
KeyUsageExt
object signing certificates. By default, the rule is configured as follows:
•
The rule is enabled.
•
The predicate expression
(
predicate=HTTP_PARAMS.certType==objSignClient
is applied to only object signing certificate requests.
•
The extension is marked noncritical (to comply with the PKIX
recommendation).
•
The server is configured to set
object-signing certificates. Notice that the key-usage bits specified in the
default policy rule match the bits specified in the enrollment form
(
ManObjSignEnroll.html
Figure 4-17).
Key usage extension bits in the object signing certificate enrollment form
Figure 4-17
ObjSignCertKeyUsageExt
digitalSignature
) for requesting object-signing certificates (see
Chapter 4
KeyUsageExt Plug-in Module
is an instance of the
) ensures that the rule
and
keyCertsign
Certificate Extension Plug-in Modules
bits in
199
Advertisement
Table of Contents
