Table of Contents
Advertisement
CRLSignCertKeyUsageExt
The policy rule named
KeyUsageExt
CRL signing certificate. By default, the rule is configured as follows:
•
The rule is enabled.
•
The predicate expression
(
applied to only CRL signing certificate requests.
•
The server is configured to set the
NameConstraintsExt Plug-in Module
The
NameConstraintsExt
extension policy. This policy enables you to configure Certificate Management
System to add the Name Constraints Extension defined in X.509 and PKIX standard
RFC 2459 (see
extension is used in CA certificates to indicate a name space within which subject
names or subject alternative names in subsequent certificates in a certification path
or chain should be located.
Various standards describe how the name constraints extension should be
processed during certificate verification. It's beyond the scope of this document to
explain this. For general guidelines on setting the name constraints extension in
certificates, see "nameConstraints" on page 350.
The policy implemented in Certificate Management System allows setting of the
name constraints extension in any form as defined in its X.509 definition; the policy
enables you to specify the number of subtrees permitted and excluded in the
extension. It is up to applications to process the extension as described in the
standards.
During installation, Certificate Management System automatically creates an
instance of the name constraints extension policy. See "NameConstraintsExt Rule"
on page 207.
CrlSignCertKeyUsageExt
module. This rule is for setting the appropriate key-usage bits in a
predicate=HTTP_PARAMS.certType==caCrlSigning
http://www.ietf.org/rfc/rfc2459.txt
bit in CRL signing certificates.
cRLSign
plug-in module implements the name constraints
Chapter 4
NameConstraintsExt Plug-in Module
is an instance of the
) ensures that the rule is
) to certificates. The
Certificate Extension Plug-in Modules
199
Advertisement
Table of Contents
