Table of Contents
Advertisement
•
Screen the request for specific content, and modify, reject, or defer (for agent
approval) it accordingly. For example, the request might be checked for the
inclusion of organizational constraints, such as key algorithm, key size,
validity period, or a particular signing algorithm; if it did not meet the
requirement, the subsystem would modify the request or return an error,
depending on the severity of the problem.
•
Set common attributes, such as extensions for user and server certificate
requests.
Policy Rules
A policy rule refers to a uniquely configured instance of any policy plug-in
implementation. For example, you can use the plug-in module provided for setting
validity periods on certificates to configure a policy rule that forces validity periods
for all client certificates issued by a Certificate Manager to fall within a
predetermined range, say between 6 and 24 months. A subsystem's policy
configuration can consist of one or more policy rules, each performing one or more
of the following operations:
•
Validate the request content by comparing it with configured criteria; reject,
modify, or defer (for agent approval) the request if any of the request
parameters are invalid.
•
Build certificate content—for example, set common extensions and the validity
period.
•
Enforce organizational constraints, such as subject name, key algorithm, key
size, and validity period.
•
Determine whether the private key should be archived.
Keep in mind that the server applies the rules when processing end-entity requests
and after agent approval (for deferred requests).
Types of Policy Rules
CMS supports distinct policy rules for each of the operations that end-entities
perform—certificate enrollment, renewal, and revocation, and key archival and
recovery. Consequently, there are five broad categories of policies, corresponding
to these types of operations:
•
Enrollment policies
•
Renewal policies
Introduction to Policy
Chapter 11
Policies
483
Advertisement
Table of Contents
