Netscape MANAGEMENT SYSTEM 6.01 - PLUG-IN Manual page 187

Note that you can specify which bits in the extension are to be set on both server
and client sides:
• On the server side, you set the bits by modifying the appropriate configuration
parameters that are defined in the key usage extension policy.
• On the client side, bits set in the key usage extension are formed from
pre-defined HTTP input variables that can be embedded as hidden values in
the enrollment forms. You specify which bits are to be set by adding the
appropriate HTTP variables to the enrollment forms. Table 4-14 lists the HTTP
input variables that correspond to key usage extension bits.
NOTE For all certificates, the key-usage-bits set on the server side (which
is governed by the policy) override the ones set on the client side.
Table 4-14 HTTP input variables for key usage extension bits
HTTP input variable
digital_signature
non_repudiation
key_encipherment
data_encipherment
key_agreement
key_certsign
crl_sign
encipher_only
decipher_only
During installation, Certificate Management System automatically creates multiple
instances of the key usage extension policy suitable for various types of certificates
that you may want the server to issue. The default instances are named as follows:
• CMCertKeyUsageExt (For details, see "CMCertKeyUsageExt Rule" on
page 193.)
• RMCertKeyUsageExt (For details, see "RMCertKeyUsageExt Rule" on
page 194.)
Key usage extension bit
digitalSignature (bit 0)
nonRepudiation (bit 1)
keyEncipherment (bit 2)
dataEncipherment (bit3)
keyAgreement (bit4)
keyCertsign (bit5)
cRLSign (bit6)
encipherOnly (bit7)
decipherOnly (bit8)
Chapter 4 Certificate Extension Plug-in Modules
KeyUsageExt Plug-in Module
187