Table of Contents
Advertisement
ExtendedKeyUsageExt Plug-in Module
For details on individual parameters defined in the rule, see Table 4-8 on page 164.
It is important that you review this rule and make the appropriate changes
required by your PKI setup. For instructions, see section "Step 2. Modify Existing
Policy Rules" in Chapter 18, "Setting Up Policies" of CMS Installation and Setup
Guide. For instructions on adding additional instances, see section "Step 4. Add
New Policy Rules" in the same chapter. For example, if you want to include
different CRL distribution points in different types of certificates, you should
create multiple instances of the policy module and configure each instance with the
appropriate CRL distribution point and predicate expression.
ExtendedKeyUsageExt Plug-in Module
The
ExtendedKeyUsageExt
extension policy. This policy enables you to configure Certificate Management
System to add the Extended Key Usage Extension defined in X.509 and PKIX
standard RFC 2459 (see
The extension identifies one or more purposes—in addition to or in place of the
basic purposes indicated in the key usage extension—for which the certified public
key may be used. For example, if the key usage extension identifies a key to be
used for signing, the extended key usage extension can further narrow down the
usage of the key for signing OCSP responses only or for signing Java applets only.
(For information on key usage extension, see "KeyUsageExt Plug-in Module" on
page 186.)
The PKIX standard suggests that organizations can define their own extended key
usage purposes, if there's a need. Each key purpose must be identified by an OID,
which in turn must be defined in accordance with IANA or ITU-T Rec. X.660 |
ISO/IEC/ITU 9834-1. The standard also recommends that the extension may be
marked either critical or noncritical—mark the extension critical if you want to
restrict the usage of the certificate only for one of the key-usage purposes indicated
by the extension; mark the extension noncritical, when you want it to indicate the
intended purposes of the key, and not restrict the use of the certificate to the
indicated purposes (in this case, validating applications are expected to treat the
extension as an advisory field and may use it to identify the key, not its usage
purpose).
Table 4-9 lists the usages defined by PKIX for use with the extended key usage
extension.
168
Netscape Certificate Management System Plug-Ins Guide • March 2002
plug-in module implements the extended key usage
http://www.ietf.org/rfc/rfc2459.txt
) to certificates.
Advertisement
Table of Contents
